The API

This part details the various API endpoints that can be used within YETI.

Observables, Indicators and Entities

Observables

POST /api/observable/bulk

Bulk-add observables

Bulk-add Observables from an array of strings.

Request JSON Object:
 
  • [{string – observable, tags: [string]}] observables: Array of Strings representing observables (URLs, IPs, hostnames, etc.)
  • refang (boolean) – If set, the observables will be refanged before being added to the database
DELETE /api/observable/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/observable/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/observable/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/observable/

Create a new Observable

Create a new Observable from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
  • refang (boolean) – If set, the observable will be refanged before being added to the database
DELETE /api/tag/(id)

Deletes a Tag

Also remove the tag from any tagged elements.

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/tag/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/tag/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/tag/merge

Merge one or more tags

Merge one or more tags into a single tag. This is useful for replacing one or several tags with other tags.

Request JSON Object:
 
  • merge ([String]) – Array of Strings (tag names) representing tags to be merged.
  • merge_into (String) – The tag to merge into
  • make_dict (boolean) – Create a Tag dictionary out of this merge. In the future, tags included in the merge object will be automatically replaced by the tag specified in merge_into.
POST /api/tag/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/tag/(id)

Create a new Tag

Edit an existing Tag according to the JSON object passed in the POST data. If the name of a tag is changed, it will repeat the change in all Observables associated with this tag.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set

Indicators

DELETE /api/indicator/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/indicator/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/indicator/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/indicator/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/indicator/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set

Entities

GET /api/entity/

List all corresponding entries in the database. Do not use on large datasets!

GET /api/entity/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
DELETE /api/entity/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
POST /api/entity/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/entity/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set

Searching

POST /api/observablesearch/

Launches a simple search against the database

This endpoint is mostly used by paginators in Yeti.

Request JSON Object:
 
  • params (object) – JSON object specifying the page, range and regex variables.
  • params.page (integer) – Page or results to return (default: 1)
  • params.range (integer) – How many results to return (default: 50)
  • params.regex (boolean) – Set to true if the arrays in filter are to be treated as regular expressions (default: false)
  • filter (object) – JSON object specifying keys to be matched in the database. Each key must contain an array of OR-matched values.
Request Headers:
 
  • Accept – must be set to application/json
  • Content-Type – must be set to application/json
POST /api/indicatorsearch/

Launches a simple search against the database

This endpoint is mostly used by paginators in Yeti.

Request JSON Object:
 
  • params (object) – JSON object specifying the page, range and regex variables.
  • params.page (integer) – Page or results to return (default: 1)
  • params.range (integer) – How many results to return (default: 50)
  • params.regex (boolean) – Set to true if the arrays in filter are to be treated as regular expressions (default: false)
  • filter (object) – JSON object specifying keys to be matched in the database. Each key must contain an array of OR-matched values.
Request Headers:
 
  • Accept – must be set to application/json
  • Content-Type – must be set to application/json
POST /api/entitysearch/

Launches a simple search against the database

This endpoint is mostly used by paginators in Yeti.

Request JSON Object:
 
  • params (object) – JSON object specifying the page, range and regex variables.
  • params.page (integer) – Page or results to return (default: 1)
  • params.range (integer) – How many results to return (default: 50)
  • params.regex (boolean) – Set to true if the arrays in filter are to be treated as regular expressions (default: false)
  • filter (object) – JSON object specifying keys to be matched in the database. Each key must contain an array of OR-matched values.
Request Headers:
 
  • Accept – must be set to application/json
  • Content-Type – must be set to application/json

Feeds and Exports

GET /api/export/(string: id)/content

Return export content

Returns a given export’s content.

Query Parameters:
 
  • id (ObjectID) – Export ID
Response Headers:
 
  • X-Yeti-Export-MD5 – The MD5 hash of the exported content. Use it to check the export’s integrity
DELETE /api/export/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/export/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/export/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/export/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/export/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/export/(string: id)/refresh

Refresh an export

Manually executes an export if it is not already exporting.

Query Parameters:
 
  • id (ObjectID) – Export ID
Response JSON Object:
 
  • id (ObjectID) – The export’s ObjectID
POST /api/export/(string: id)/toggle

Toggle an export

Toggles an export. A deactivated export will not execute when called (manually or scheduled)

Query Parameters:
 
  • id (ObjectID) – Export ID
Response JSON Object:
 
  • id (ObjectID) – The export’s ObjectID
  • status (boolean) – The result of the toggle operation (true means the export has been enabled, false means it has been disabled)
DELETE /api/exporttemplate/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/exporttemplate/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/exporttemplate/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/exporttemplate/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/exporttemplate/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
DELETE /api/feed/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/feed/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/feed/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/feed/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/feed/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/feed/(id)/refresh

Runs a Feed

Query Parameters:
 
  • id (ObjectID) – Feed ID
Response JSON Object:
 
  • id (ObjectId) – Feed ID
POST /api/feed/(id)/toggle

Toggles a Feed

Feeds can be individually disabled using this endpoint.

Query Parameters:
 
  • id (ObjectID) – Analytics ID
Response JSON Object:
 
  • id (ObjectID) – The Analytics’s ObjectID
  • status (boolean) – The result of the toggle operation (true means the export has been enabled, false means it has been disabled)

Analysis

POST /api/analysis/match

Match observables against Yeti’s intelligence repository.

Takes an array of observables, expands them and tries to match them against specific indicators or known observables.

To “expand” an observable means to enrich the query. For instance, if the arrays of observables contains the URL http://google.com, the “expanded” observable array will also include the hostname google.com.

Request JSON Object:
 
  • observables ([string]) – An array of observables to be analyzed
Response JSON Object:
 
  • entities ([Entity]) – Related Entity objects
  • known ([Observable]) – Observable objects that are already present in database
  • matches ([Indicator]) – Indicators that matched observables
  • matches[].observable (Observable) – The Observable object that matched the Indicator
  • unknown (string) – Array of observable strings that didn’t match any Indicators and are unknown to Yeti
GET /api/analysis/

List all corresponding entries in the database. Do not use on large datasets!

GET /api/analysis/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
DELETE /api/analysis/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
POST /api/analysis/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/analysis/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
DELETE /api/analytics/oneshot/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/analytics/oneshot/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
POST /api/analytics/oneshot/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/analytics/oneshot/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/analytics/oneshot/(id)/run

Runs a One-Shot Analytics

Asynchronously runs a One-Shot Analytics against a given observable. Returns an AnalyticsResults instance, which can then be used to fetch the analytics results

Query Parameters:
 
  • id (ObjectID) – Analytics ID
Form Parameters:
 
  • ObjectID id – Observable ID
Response JSON Object:
 
  • object – JSON object representing the AnalyticsResults instance
POST /api/analytics/oneshot/(id)/toggle

Toggles a One-shot Analytics

One-Shot Analytics can be individually disabled using this endpoint.

Query Parameters:
 
  • id (ObjectID) – Analytics ID
Response JSON Object:
 
  • id (ObjectID) – The Analytics’s ObjectID
  • status (boolean) – The result of the toggle operation (true means the export has been enabled, false means it has been disabled)
DELETE /api/analytics/scheduled/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/analytics/scheduled/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/analytics/scheduled/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/analytics/scheduled/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/analytics/scheduled/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/analytics/scheduled/(id)/refresh

Runs a Scheduled Analytics

Query Parameters:
 
  • id (ObjectID) – Scheduled Analytics ObjectID
Response JSON Object:
 
  • id (ObjectID) – ID of refreshed Scheduled Analytics
POST /api/analytics/scheduled/(id)/toggle

Toggles a Scheduled Analytics

Scheduled Analytics can be individually disabled using this endpoint.

Query Parameters:
 
  • id (ObjectID) – Analytics ID
Response JSON Object:
 
  • id (ObjectID) – The Analytics’s ObjectID
  • status (boolean) – The result of the toggle operation (true means the export has been enabled, false means it has been disabled)

Investigation

DELETE /api/investigation/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/investigation/(id)

Get details on a specific element

Query Parameters:
 
  • id (ObjectID) – Element ID
GET /api/investigation/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/investigation/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/investigation/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set
DELETE /api/neighbors/(id)

Deletes the corresponding entry from the database

Query Parameters:
 
  • id (ObjectID) – Element ID
Response JSON Object:
 
  • deleted (string) – The deleted element’s ObjectID
GET /api/neighbors/

List all corresponding entries in the database. Do not use on large datasets!

POST /api/neighbors/

Create a new element

Create a new element from the JSON object passed in the POST data.

Request JSON Object:
 
  • params (object) – JSON object containing fields to set
POST /api/neighbors/(id)

Modify an element

Edit an existing element according to the JSON object passed in the POST data.

Query Parameters:
 
  • id (ObjectID) – Element ID
Request JSON Object:
 
  • params (object) – JSON object containing fields to set