Retrieve a list of stories.


HTTP Method: GET

curl -X GET \
  https://<tenant-name> \
  -H 'content-type: application/json' \
  -H 'x-user-email: <email-address>' \
  -H 'x-user-token: <api-token>'


A successful request will return a JSON Array describing stories in the Tines tenant.

Field description

Parameter Description
id The story ID.
name The story name.
user_id ID of story owner.
description A user-defined description of the story.
created_at ISO 8601 Timestamp representing date and time the story was created.
updated_at ISO 8601 Timestamp representing date and time the story was last updated.
keep_events_for Defined event retention period in seconds.
disabled Boolean flag indicating whether story is disabled.
priority Boolean flag indicating whether story is hight priority story.
guid Unique identifier of the story.
team_id ID of team to which the story belongs.
folder_id ID of folder to which the story belongs.

Sample response

    "id": 1,
    "name": "Simple story",
    "user_id": 1,
    "created_at": "2018-10-25T20:06:14.825Z",
    "updated_at": "2018-10-25T20:06:14.825Z",
    "description": "In the simple story we will create a fictional situation where a detection system is configured to send alerts to our Tines tenant. The alert will contain the type of alert (infection, ddos, credential stuffing, etc.) and details on any users affected. If the alert is related to an infection, based on the users job title, we will take a specific action.\r\n\r\nThe simple story is described in detail in the <a href=\"\">Tines Docs</a>.\r\n\r\nUse the following URL command (replace $webhook-url with the webhook URL in the ''Summary\" tab of the 'Receive events' action) to send events to this story:\r\n\r\n<pre>curl $webhook-url -X POST -H \"Content-Type: application/json\" -d '{\"event_name\":\"My first event\",\"type\":\"infection\",\"users\":[{\"name\":\"alice\",\"age\":25,\"country\":\"US\",\"job\":\"Engineer\"},{\"name\":\"bob\",\"age\":20,\"country\":\"UK\",\"job\":\"Student\"},{\"name\":\"carol\",\"age\":61,\"country\":\"Ireland\",\"job\":\"CEO\"}]}'</pre>",
    "guid": "b7c81e0cb416ae8f4c00874ca7b1cdf8"
    "id": 2,
    "name": "VPN Threat Detection & Response",
    "user_id": 1,
    "created_at": "2018-10-25T20:06:15.159Z",
    "updated_at": "2018-10-25T20:06:15.159Z",
    "description": "<p>This is a demo story showing how Tines can be used to perform threat detection and response on enterprise VPN connections. The story leverages the following common technologies: Palo Alto global protect, Splunk and Jira. In addition, several open source intelligence (OSINT) technologies are used to gather intel on an IP address: Virustotal, Passivetotal and Alienvault.</p>\r\n\r\n<p>To get started create an alert in Splunk to send VPN authentication events to the Webhook action, \"Receive splunk alert\". Alternatively, you can simulate the data Tines would receive from Splunk using the following URL command (replace $webhook-action-url with the webhook URL in the 'Receive splunk alert' action):\r\n<pre>curl https://$webhook-action-url -H \"Content-Type: application/json\" -X POST -d  '{\"search_name\":\"New VPN Connection\",\"_time\":\"1523873488\",\"message\":\"authentication successful\",\"username\":\"\",\"client\":\"Mac OS 10.12.5\",\"src_ip\":\"\",\"host\":\"\",\"hostname\":\"Computer-0001\",\"source\":\"vpn_logs\",\"_sourcetype\":\"_json\"}'</pre>\r\n</p>\r\n\r\n<p>\r\nStory run down:\r\n<ol>\r\n<li>VPN authentication events are received by the Webhook action.</li>\r\n<li>Three HTTP request actions retrieve OSINT related to the source IP for the VPN connection.</li> \r\n<li>A pair of trigger actions, 'No threat detected' and 'Potential threat detected', check if any of the OSINT indicates maliciousness.</li>\r\n<li>If maliciousness is suspected, three things occur:\r\n<ul>\r\n<li>A case is created in case management: 'Create jira case'</li>\r\n<li>The VPN connection is terminated: 'Terminate VPN session'</li>\r\n<li>An email is sent to the user informing them of the actions taken: 'Inform user'</li>\r\n</ul>\r\n</li>\r\n<li>If OSINT does not indicate maliciousness, a search is run against SIEM to see how many times the source IP has been seen in the last 30 days: 'Check if IP has been used in last 30 days'</li>\r\n<li>A Trigger Action emits an event only if the IP has only been seen once before (for the connect in question): 'New IP'</li>\r\n<li>An email is sent to the source user letting them know that a new VPN connection related to their username has been detected. This email contains a prompt so the user can let us know if they did not initiate the connection: 'Send courtesy email with prompt'\r\n<li>A number of actions are taken should the user indicate that they did not initiate the connection: 'User confirmed unknown connection':\r\n<ul>\r\n<li>A high-priority incident is created in case management: 'Create high-priority jira issue'</li>\r\n<li>The VPN connection is terminated</li>\r\n</ul>\r\n</li>\r\n</ol>\r\n</p>",
    "guid": "f1ac9cc816991930acb1c321c96a1340"