How to pull single indicator by name using API (Python requests)?


#1

Hi I am having trouble pulling single indicators using the ‘indicator’ field using via the API using Python requests.

The complete function code I am using is at the bottom of the post:

function declaration looks like:
def get_indicators(staxx_token, iquery=None):

I get successful results for bulk indicator calls when iquery is set to:
‘type=ip’
‘type=domain’
(numerous others are also successful using Field names list in Appendix A of the manual)

but attempts at single search queries for ips or domains like:
iquery = “indicator=95.143.22.138”
iquery = “indicator=52uo5k3t73ypjije.csj0k5.top”

fail with:
Could not retrieve STAXX indictors: Bad Request

Query is not correct

def get_indicators(staxx_token, iquery=None):

headers = {'Content-Type': 'application/json'}
url = f"https://{STAXX_IP}:8080/api/v1/intelligence"

_data = json.dumps({"token": staxx_token,
                    "query": iquery,
                    "type": "json"}).encode("utf-8")

response = requests.post(url,
                         _data,
                         headers=headers,
                         verify=False)

if response.status_code != 200:
    print("Could not retrieve STAXX indictors: ", response.reason)
    print(response.text)
    return None

_indicators = response.json()

return _indicators

Could someone please supply correctly formatted query examples to pull indicators by name?

Any help is appreciated. Thanks


#2

Hello @Richard_Smith,

Thank you for raising this case with us.
In our documentation we have some curl examples that can help you out building your query, but it seems the “indicator” field is indeed invalid. This is the case due to the database schema. I suggest you to use “value” instead.

From your example:
iquery = “value=95.143.22.138”
iquery = “value=52uo5k3t73ypjije.csj0k5.top”

I will raise this as a case, so this gets validated and tested on the next release of Anomali STAXX.

Thanks,
Dionysis