API Reference

Base URL: https://mitreincident-product.up.railway.app

No authentication required.

Endpoints

GET/api/health

Check if the API is up.

curl https://mitreincident-product.up.railway.app/api/health

{
  "status": "healthy",
  "timestamp": "2025-01-15T10:30:00.000000",
  "incidents_loaded": 3
}

POST/api/analyze

Upload a log file and get MITRE ATT&CK technique mappings back.

Accepts multipart/form-data. Supported formats: .csv .json .txt .log. Max file size: 15 MB.

curl -X POST https://mitreincident-product.up.railway.app/api/analyze \
  -F "file=@incident.csv"

Response

{
  "incident_id": "INC-20250115103000-a1b2c3d4",
  "events_parsed": 42,
  "mitre_techniques": [
    {
      "id": "T1078",
      "tactic": "Initial Access",
      "name": "Valid Accounts",
      "count": 5
    }
  ],
  "events": [
    {
      "id": 1,
      "timestamp": "2025-01-15T09:00:00",
      "source": "auth.log",
      "description": "Failed login attempt for root",
      "mitre_tactic": "Credential Access",
      "mitre_technique_id": "T1110",
      "mitre_technique_name": "Brute Force",
      "confidence": 87.5
    }
  ]
}

CSV format

timestamp,source,description
2025-01-15T09:00:00,auth.log,Failed login attempt for root
2025-01-15T09:01:23,syslog,New cron job added by user admin

GET/api/incident/:id

Retrieve a previously analyzed incident by its ID.

curl https://mitreincident-product.up.railway.app/api/incident/INC-20250115103000-a1b2c3d4

Returns the same shape as /api/analyze, plus filename and created_at. Incidents are held in memory — they disappear on server restart.

GET/api/download/:id/:format

Download the incident report. Format is pdf, json, or csv.

# PDF
curl -O https://mitreincident-product.up.railway.app/api/download/INC-20250115103000-a1b2c3d4/pdf

# JSON
curl -O https://mitreincident-product.up.railway.app/api/download/INC-20250115103000-a1b2c3d4/json

# CSV
curl -O https://mitreincident-product.up.railway.app/api/download/INC-20250115103000-a1b2c3d4/csv

Integrations

All integration endpoints accept application/json and return the same response shape as /api/analyze. Credentials are never stored — they are used only for the duration of the request.

POST/api/integrations/splunk

Query a Splunk search head via its REST API.

curl -X POST https://mitreincident-product.up.railway.app/api/integrations/splunk \
  -H "Content-Type: application/json" \
  -d '{
    "url":   "https://splunk.company.com:8089",
    "token": "your-bearer-token",
    "query": "index=* sourcetype=syslog earliest=-1h",
    "limit": 500
  }'

POST/api/integrations/elastic

Search an Elasticsearch or OpenSearch index.

curl -X POST https://mitreincident-product.up.railway.app/api/integrations/elastic \
  -H "Content-Type: application/json" \
  -d '{
    "url":     "https://my-cluster.es.io:9200",
    "api_key": "base64-api-key",
    "index":   "logs-*",
    "query":   "event.category:process",
    "limit":   500
  }'

Use username + password instead of api_key for basic auth.

POST/api/integrations/cloudtrail

Analyze AWS CloudTrail Records[] JSON directly.

curl -X POST https://mitreincident-product.up.railway.app/api/integrations/cloudtrail \
  -H "Content-Type: application/json" \
  -d '{ "logs": { "Records": [ ... ] } }'

# or upload a CloudTrail .json file
curl -X POST https://mitreincident-product.up.railway.app/api/integrations/cloudtrail \
  -F "file=@cloudtrail-2025-01-15.json"

POST/api/integrations/raw

Paste raw syslog, CEF, LEEF, or plain text logs directly.

curl -X POST https://mitreincident-product.up.railway.app/api/integrations/raw \
  -H "Content-Type: application/json" \
  -d '{
    "format": "syslog",
    "logs": "Jan 15 09:00:01 server sshd[1234]: Failed password for root\nJan 15 09:01:23 server sudo: COMMAND=/bin/bash"
  }'

format accepts auto, syslog, cef, or text. CEF lines starting with CEF: are auto-detected.

Response fields

Field	Type	Notes
incident_id	string	Unique ID for this analysis run. Use it to download reports.
events_parsed	number	Total log entries processed.
mitre_techniques	array	Deduplicated list of techniques found, with event counts.
events	array	Every event with its mapping result and confidence score (0–100).
confidence	number	How closely the log line matched the technique pattern. Above 70 is a solid match.

Errors

Status	Meaning
400	Bad request — missing file, wrong format, or unparseable content.
404	Incident ID not found (or server restarted and lost it).
413	File too large. Maximum upload size is 15 MB.
500	Something broke on our end. Try again.

{ "error": "Could not parse file" }

Quick start

# 1. Check the API is up
curl https://mitreincident-product.up.railway.app/api/health

# 2. Analyze a log file
curl -X POST https://mitreincident-product.up.railway.app/api/analyze -F "file=@your_logs.csv"

# 3. Download the PDF report using the incident_id from step 2
curl -O https://mitreincident-product.up.railway.app/api/download/<incident_id>/pdf