#10 update and format

Author: jeromeleonard

docs/thehive/api/alert/list-observables.md

@@ -0,0 +1,88 @@
+# List Observables
+
+List observables of an *Alerts*.
+
+## Query
+
+```plain
+POST /api/v1/query?name=alert-observables
+```
+
+##  Request Body Example
+
+!!! Example "" 
+    
+    List last 15 added observables:
+
+    ```json
+    {
+      "query": [
+        {
+          "_name": "getAlert",
+          "idOrName": "{id}"
+        },
+        {
+          "_name": "observables"
+        },
+        {
+          "_name": "sort",
+          "_fields": [
+            {
+              "startDate": "desc"
+            }
+          ]
+        },
+        {
+          "_name": "page",
+          "from": 0,
+          "to": 15,
+          "extraData": [
+            "seen"
+          ]
+        }
+      ]
+    }
+    ```
+
+    With:
+
+    - `id`: id of the *Alert*
+
+##  Response 
+
+### Status codes
+
+- `200`: if query is run successfully
+- `401`: Authentication error
+
+### Response Body Example
+
+!!! Example ""
+
+    ```json
+    [
+      ...
+      {
+        "_id": "~11111462234",
+        "_type": "Observable",
+        "_createdBy": "[email protected]",
+        "_createdAt": 1629309258431,
+        "dataType": "other",
+        "data": "1.2.3.4",
+        "startDate": 1629309258431,
+        "tlp": 0,
+        "tags": [],
+        "ioc": false,
+        "sighted": false,
+        "reports": {},
+        "message": "",
+        "extraData": {
+          "seen": {
+            "seen": 3,
+            "ioc": false
+          }
+        },
+      }
+      ...
+    ]
+    ```

docs/thehive/api/alert/merge.md

@@ -1,23 +1,86 @@
 # Merge
 
-Merge an Alert into an existing *Case*.
+Merge an *Alert* into an existing *Case*.
 
 ## Query
 
+```plain
+POST /api/alert/{id1}/merge/{id2}
 ```
 
-```
-
+With:
 
-## Request Body Example
+- `id1`: id of the *Alert* to merge
+- `id2`: id of the destination *Case*
 
-```json
+##  Response 
 
-```
+### Status codes
 
+- `200`: if *Alert* is successfully merged
+- `401`: Authentication error
 
-## Response Body Example
+### Response Body Example
 
-```json
+!!! Example ""
 
-```
+    ```json
+{
+  "_id": "~6658533455",
+  "id": "~6658533455",
+  "createdBy": "[email protected]",
+  "updatedBy": "[email protected]",
+  "createdAt": 1620397519028,
+  "updatedAt": 1624373852175,
+  "_type": "case",
+  "caseId": 114,
+  "title": "User connected to known malicious IP over Telnet / Malicious payload detected",
+  "description": "EDR automated alert: the user [email protected] has connected to known malicious IP over Telnet\n\nEDR automated alert: malicious payload detected on computer PC-Robb\n  \n#### Merged with alert #90e044 User posted information on known phishing URL\n\nSIEM automated alert: the user [email protected] has posted information on a known phishing url",
+  "severity": 2,
+  "startDate": 1620396059728,
+  "endDate": null,
+  "impactStatus": null,
+  "resolutionStatus": null,
+  "tags": [
+    "log-source:proxy",
+    "source:edr",
+    "log-source:endpoint-protection",
+    "source:siem",
+    "protocol: telnet",
+    "ex2"
+  ],
+  "flag": false,
+  "tlp": 3,
+  "pap": 2,
+  "status": "Open",
+  "summary": null,
+  "owner": "[email protected]",
+  "customFields": {
+    "businessUnit": {
+      "string": "Finance",
+      "order": 0
+    },
+    "location": {
+      "string": "Sydney",
+      "order": 1
+    }
+  },
+  "stats": {},
+  "permissions": [
+    "manageShare",
+    "manageAnalyse",
+    "manageTask",
+    "manageCaseTemplate",
+    "manageCase",
+    "manageUser",
+    "manageProcedure",
+    "managePage",
+    "manageObservable",
+    "manageTag",
+    "manageConfig",
+    "manageAlert",
+    "accessTheHiveFS",
+    "manageAction"
+  ]
+}
+    ```

docs/thehive/api/alert/promote-as-case.md

@@ -1,23 +1,97 @@
 # Promote
 
-Promote an Alert as a new *Case*. 
+Promote an *Alert* as a new *Case*.
 
 ## Query
 
+```plain
+POST /api/alert/{id}/createCase
 ```
 
-```
+With:
 
+- `id`: id of the *Alert* to promote
 
-## Request Body Example
+## Request Body example
 
-```json
+Specify a *Case template* applied with *Case* creation:
 
-```
+!!! Example "" 
+
+    ```json
+    {
+      "caseTemplate": "SIEM_Alert"
+    }
+    ```
+
+The following fields are optional: 
+
+- `caseTemplate`: (String)
+
+##  Response 
+
+### Status codes
 
+- `201`: if *Case* is successfully created
+- `401`: Authentication error
 
-## Response Body Example
+### Response Body Example
 
-```json
+!!! Example ""
 
-```
+    ```json
+    {
+      "_id": "~907709843",
+      "id": "~907709843",
+      "createdBy": "[email protected]",
+      "updatedBy": null,
+      "createdAt": 1630416621805,
+      "updatedAt": null,
+      "_type": "case",
+      "caseId": 126,
+      "title": "User posted information on known phishing URL",
+      "description": "SIEM automated alert: the user [email protected] has posted information on a known phishing url. ",
+      "severity": 2,
+      "startDate": 1630416621797,
+      "endDate": null,
+      "impactStatus": null,
+      "resolutionStatus": null,
+      "tags": [
+        "source:siem",
+        "log-source:proxy"
+      ],
+      "flag": false,
+      "tlp": 3,
+      "pap": 2,
+      "status": "Open",
+      "summary": null,
+      "owner": "[email protected]",
+      "customFields": {
+        "businessUnit": {
+          "string": "Finance",
+          "order": 0
+        },
+        "location": {
+          "string": "Sydney",
+          "order": 1
+        }
+      },
+      "stats": {},
+      "permissions": [
+        "manageShare",
+        "manageAnalyse",
+        "manageTask",
+        "manageCaseTemplate",
+        "manageCase",
+        "manageUser",
+        "manageProcedure",
+        "managePage",
+        "manageObservable",
+        "manageTag",
+        "manageConfig",
+        "manageAlert",
+        "accessTheHiveFS",
+        "manageAction"
+      ]
+    }
+    ```