From 39791df47e879b74f34f65ada307d2e651f373e4 Mon Sep 17 00:00:00 2001
From: tim <tim.leonhard@posteo.de>
Date: Mon, 10 Feb 2025 13:13:25 +0100
Subject: [PATCH] add docs for advanced feeds API

---
 docs/GreedyBear/Api-docs.md |  3 +++
 docs/GreedyBear/Usage.md    | 30 +++++++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/docs/GreedyBear/Api-docs.md b/docs/GreedyBear/Api-docs.md
index f245007..d96f361 100644
--- a/docs/GreedyBear/Api-docs.md
+++ b/docs/GreedyBear/Api-docs.md
@@ -6,6 +6,9 @@
 ### `feeds`
 :::docs.Submodules.GreedyBear.api.views.feeds
 
+### `feeds_advanced`
+:::docs.Submodules.GreedyBear.api.views.feeds_advanced
+
 ### `feeds_pagination`
 :::docs.Submodules.GreedyBear.api.views.feeds_pagination
 
diff --git a/docs/GreedyBear/Usage.md b/docs/GreedyBear/Usage.md
index 0c57d7e..a8c0a53 100644
--- a/docs/GreedyBear/Usage.md
+++ b/docs/GreedyBear/Usage.md
@@ -32,7 +32,7 @@ GreedyBear is created with the aim to collect the information from the TPOTs and
 The feeds are reachable through the following URL:
 
 ```
-https://<greedybear_site>/api/feeds/<feed_type>/<attack_type>/<age>.<format>
+https://<greedybear_site>/api/feeds/<feed_type>/<attack_type>/<age>.<format>?<flags>
 ```
 
 The available feed_type are:
@@ -75,8 +75,36 @@ The available formats are:
 - `csv`: CSV-like file (just one line for each IOC)
 - `json`: JSON file with additional information regarding the IOCs
 
+The available flags are: 
+- `exclude_mass_scanners`: if set, IOCs that are known mass scanners will be excluded from the result
+
+Check the [API specification](https://intelowlproject.github.io/docs/GreedyBear/Api-docs/) or the to get all the details about how to use the available APIs.
+
+## Advanced Feeds
+
+For authenticated users, GreedyBear offers an additional API endpoint that provides similar functionality to the Feeds API but with enhanced customization options.
+```
+https://<greedybear_site>/api/feeds/advanced/?<query_params>
+```
+
+The available query parameters are:
+
+- `feed_type`: see [Feeds API](#feeds)
+- `attack_type`: see [Feeds API](#feeds)
+- `max_age`: Maximum number of days since last occurrence. (default: 3)
+- `min_days_seen`: Minimum number of days on which an IOC must have been seen. (default: 1)
+- `include_reputation`: `;`-separated list of reputation values to include, e.g. `known attacker` or `known attacker;` to include IOCs without reputation. (default: include all)
+- `exclude_reputation`: `;`-separated list of reputation values to exclude, e.g. `mass scanner` or `mass scanner;bot, crawler`. (default: exclude none)
+- `feed_size`: Number of IOC items to return. (default: 5000)
+- `ordering`: Field to order results by, with optional `-` prefix for descending. (default: `-last_seen`)
+- `verbose`: `true` to include IOC properties that contain a lot of data, e.g. the list of days it was seen. (default: `false`)
+- `paginate`: `true` to paginate results. This forces the json format. (default: `false`)
+- `format`: see [Feeds API](#feeds) (default: `json`)
+
 Check the [API specification](https://intelowlproject.github.io/docs/GreedyBear/Api-docs/) or the to get all the details about how to use the available APIs.
 
+This "Advanced Feeds" API is protected through authentication. Please reach out [Matteo Lodi](https://twitter.com/matte_lodi) or another member of [The Honeynet Project](https://twitter.com/ProjectHoneynet) if you are interested in gain access to this API.
+
 ## Enrichment
 
 GreedyBear provides an easy-to-query API to get the information available in GB regarding the queried observable (domain or IP address).