-
** Describe the bug **
** More context ** Attached is code:
netanel |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hi @NSH531 - If you format the indicators you have to match the expected format (example:
Examplefrom falconpy import APIHarness
falcon = APIHarness(client_id="ID HERE", client_secret="SECRET HERE"))
INDICATORS_TO_FIND = ['hash_md5_67f27c919fcf3a9db09bbcfef0cb1f1b',
'hash_md5_da36586c60acce187c1wontexist',
'hash_md5_thisonewontexisteither'
]
results = falcon.command("GetIntelIndicatorEntities", body={"ids": INDICATORS_TO_FIND}) Which should give you a result somewhere along the lines of: {
"meta": {
"query_time": 0.003758646,
"pagination": {
"offset": 0,
"limit": 1,
"total": 1
},
"powered_by": "msa-api",
"trace_id": "8c90726e-ae72-492f-a084-b11934f32876"
},
"resources": [
{
"id": "hash_md5_67f27c919fcf3a9db09bbcfef0cb1f1b",
"indicator": "67f27c919fcf3a9db09bbcfef0cb1f1b",
"type": "hash_md5",
"deleted": false,
"published_date": 1649214283,
"last_updated": 1649328871,
"reports": [],
"actors": [],
"malware_families": [
"XORDDoS"
],
"kill_chains": [],
"ip_address_types": [],
"domain_types": [],
"malicious_confidence": "high",
"_marker": "1649328871d9d3cbe639cee4d2299ecd1510ba7103",
"labels": [
{
"name": "MaliciousConfidence/High",
"created_on": 1649214283,
"last_valid_on": 1649328871
},
{
"name": "Malware/XORDDoS",
"created_on": 1649214286,
"last_valid_on": 1649214286
}
],
"relations": [
{
"id": "hash_sha256_e68f5b862c78b2248d112b9b291cd582ef0bd7afe71be3130e8eb6f025e8be16",
"indicator": "e68f5b862c78b2248d112b9b291cd582ef0bd7afe71be3130e8eb6f025e8be16",
"type": "hash_sha256",
"created_date": 1649214283,
"last_valid_date": 1649214283
},
{
"id": "hash_sha1_1baeefc03b77ea0279b51d5a3e5d333cc6b3139a",
"indicator": "1baeefc03b77ea0279b51d5a3e5d333cc6b3139a",
"type": "hash_sha1",
"created_date": 1649214283,
"last_valid_date": 1649214283
}
],
"targets": [],
"threat_types": [],
"vulnerabilities": []
}
],
"errors": [
{
"code": 404,
"message": "Not Found",
"id": "hash_md5_da36586c60acce187c1wontexist"
},
{
"code": 404,
"message": "Not Found",
"id": "hash_md5_thisonewontexisteither"
}
]
} |
Beta Was this translation helpful? Give feedback.
Hi @NSH531 -
If you format the indicators you have to match the expected format (example:
hash_md5_da36586c60acce187c1a4b3f5f61e603
) you would be able to feed these straight to the GetIntelIndicatorEntities operation. What's nice about this solution, is you'll get a separate JSON branch for just errors (i.e. Indicators that are not found.)Example