En esta entrada vamos a publicar un pequeño script para la eliminación de todos los casos y alertas que se encuentra en TheHive utilizando la API REST.
En caso de que no quieras eliminar todo y simplemente en concreto un caso o alerta única y exclusivamente deberías apuntar al ID especifico.
#!/bin/bash
savecases="/tmp/cases.txt"
deletecases="/tmp/cleancases.txt"
savealerts="/tmp/alerts.txt"
deletealerts="/tmp/cleanalerts.txt"
accesskey="KEY THEHIVE"
curl -H 'Authorization: Bearer '$accesskey'' 'http://localhost:9000/api/case?range=all' > $savecases
tr ',"' '\n' < $savecases | grep -C 2 _id | grep -v : | sed -e 's/--//g' | sed '/^$/d' | grep -v _id > $deletecases
curl -H 'Authorization: Bearer '$accesskey'' 'http://localhost:9000/api/alert?range=all' > $savealerts
tr ',"' '\n' < $savealerts | grep -C 2 _id | grep -v : | sed -e 's/--//g' | sed '/^$/d' | grep -v _id > $deletealerts
filecontent=( `cat "$deletecases" `)
for id in "${filecontent[@]}"
do
curl -X DELETE -H 'Authorization: Bearer '$accesskey'' 'http://127.0.0.1:9000/api/case/'$id'/force'
done
filecontent=( `cat "$deletealerts" `)
for id in "${filecontent[@]}"
do
curl -X DELETE -H 'Authorization: Bearer '$accesskey'' 'http://127.0.0.1:9000/api/alert/'$id'?force=1'
done
rm $savecases $deletecases $savealerts $deletealerts
:wq!