search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.31k stars 610 forks source link

API _search examples #598

Open xme opened 6 years ago

xme commented 6 years ago

Hello *,

I'm fighting with the API to search for alerts... There is a lack of documentation regarding the 'range' & 'query' parameters. Any example of what can be used to filter alters?

/x

nadouani commented 6 years ago

Hello @xme this is very true :( We need to document the query syntax that TheHive (and Cortex also) support.

You can find the possible operators here https://github.com/TheHive-Project/TheHive4py/blob/master/thehive4py/query.py

Stay tuned

nadouani commented 6 years ago

That said, if you have a specific question regarding the query content, please shoot ;)

xme commented 6 years ago

Tx! I've a PS script that is trying to search for alerts. The JSON passed in the POST is:

$query = @{
   "range" = "all"
   "query" = @{"status" = "New"}
}
$json = $query | ConvertTo-Json

But it does not work... At least, I receive max 10 alerts... or the script fails with this error: An existing connection was forcibly closed by the remote host."

nadouani commented 6 years ago

The range and sort are query params, so typically a curl query could be:

curl -XPOST -H 'Content-Type: application/json' -H 'Autheorization: Bearer XXXX' 'http://server:port/api/alert/_search?range=0-100&sort=-createdAt' -d '{
   "query": {"status": "New"}
}'
saadkadhi commented 6 years ago

s/Autheorization/Authorization/ and range=all should work:

curl -XPOST -H 'Content-Type: application/json' -H 'Authorization: Bearer XXXX' 'http://server:port/api/alert/_search?range=all&sort=-createdAt' -d '{
   "query": {"status": "New"}
}'

I've just tested it and it works.

xme commented 6 years ago

Other value(s) that 'range' can accept? Or, by example, searching alerts before xx-xx-xxxx ?

nadouani commented 6 years ago

range can be either all or from-to (0-100, 101-200)

to filter alerts before xx-xx-xxxx you can use:

{
  "query": {
    "_lte": {
      "createdAt": TIMESTAMP
    }
  }
}
indigocarmen commented 6 years ago

Sorry to piggyback, but is this the only way to search alert indicators? It would be very handy to summarize alerts by indicator IP.

Marsidi commented 4 years ago

Hello, I am trying to make a query on alerts like this:

from thehive4py.api import TheHiveApi, Eq from thehive4py.query import And, Between

api = TheHiveApi(url, HIVE_APIKEY) sts = Eq('status', 'Ignored') between = Between("startDate", '1570485600000', '1570572000000') query = And(sts, between) alerts = api.find_alerts(query=query) response = json.loads(alerts.text)

I get alerts.status 200, but i get empty response list. If i remove 'between' from query it works but i need the alerts between two dates. PS:In this way is working perfectly to find the cases between two dates

gKits commented 1 month ago

Is it posisble to query for the customFields in a case e.g. if have a case like this:

{
    "severity": 1,
    "caseId": 1,
    ...
    "customFields": {
        "foo": {
            "bar": "baz"
        }
    }
}

would it be possible to write a query to find all cases where the customFields.foo.bar is equal to baz? Would this work:

{ "query": { "customFields.foo.bar": "baz" } }