TheHive API _search examples

Hello *,

I'm fighting with the API to search for alerts... There is a lack of documentation regarding the 'range' & 'query' parameters. Any example of what can be used to filter alters?

/x

Jun 04 '18 12:06 xme

Hello @xme this is very true :( We need to document the query syntax that TheHive (and Cortex also) support.

You can find the possible operators here https://github.com/TheHive-Project/TheHive4py/blob/master/thehive4py/query.py

Stay tuned

Jun 04 '18 12:06 nadouani

That said, if you have a specific question regarding the query content, please shoot ;)

Jun 04 '18 12:06 nadouani

Tx! I've a PS script that is trying to search for alerts. The JSON passed in the POST is:

$query = @{
   "range" = "all"
   "query" = @{"status" = "New"}
}
$json = $query | ConvertTo-Json

But it does not work... At least, I receive max 10 alerts... or the script fails with this error: An existing connection was forcibly closed by the remote host."

Jun 04 '18 13:06 xme

The range and sort are query params, so typically a curl query could be:

curl -XPOST -H 'Content-Type: application/json' -H 'Autheorization: Bearer XXXX' 'http://server:port/api/alert/_search?range=0-100&sort=-createdAt' -d '{
   "query": {"status": "New"}
}'

Jun 04 '18 13:06 nadouani

s/Autheorization/Authorization/ and range=all should work:

curl -XPOST -H 'Content-Type: application/json' -H 'Authorization: Bearer XXXX' 'http://server:port/api/alert/_search?range=all&sort=-createdAt' -d '{
   "query": {"status": "New"}
}'

I've just tested it and it works.

Jun 04 '18 13:06 saadkadhi

Other value(s) that 'range' can accept? Or, by example, searching alerts before xx-xx-xxxx ?

Jun 04 '18 13:06 xme

range can be either all or from-to (0-100, 101-200)

to filter alerts before xx-xx-xxxx you can use:

{
  "query": {
    "_lte": {
      "createdAt": TIMESTAMP
    }
  }
}

Jun 04 '18 14:06 nadouani

Sorry to piggyback, but is this the only way to search alert indicators? It would be very handy to summarize alerts by indicator IP.

Jun 22 '18 13:06 indigocarmen

Hello, I am trying to make a query on alerts like this:

from thehive4py.api import TheHiveApi, Eq from thehive4py.query import And, Between

api = TheHiveApi(url, HIVE_APIKEY) sts = Eq('status', 'Ignored') between = Between("startDate", '1570485600000', '1570572000000') query = And(sts, between) alerts = api.find_alerts(query=query) response = json.loads(alerts.text)

I get alerts.status 200, but i get empty response list. If i remove 'between' from query it works but i need the alerts between two dates. PS:In this way is working perfectly to find the cases between two dates

Oct 09 '19 06:10 Marsidi

Is it posisble to query for the customFields in a case e.g. if have a case like this:

{
    "severity": 1,
    "caseId": 1,
    ...
    "customFields": {
        "foo": {
            "bar": "baz"
        }
    }
}

would it be possible to write a query to find all cases where the customFields.foo.bar is equal to baz? Would this work:

{ "query": { "customFields.foo.bar": "baz" } }

Jun 20 '24 06:06 gKits

Is it posisble to query for the customFields in a case e.g. if have a case like this:

{ "severity": 1, "caseId": 1, ... "customFields": { "foo": { "bar": "baz" } } } would it be possible to write a query to find all cases where the customFields.foo.bar is equal to baz? Would this work:

{ "query": { "customFields.foo.bar": "baz" } }

Hey @gKits, I managed to query a customfield on our environment, I used the below syntax.. hope it helps

params = {
        "query": {
            "_between": [
                {"_field": "customFields.rule", "_value": True},
            ]
        },
        "range": "0-100"
    }

Feb 16 '25 14:02 iiArrow