Technical Tip: [FortiSOAR / Cybersponse Tricks'n'Tips] Some handy queries for searching for records via API in Playbook

Use the 'CyOPs Utilities' Connector 'Make CyOPs API call' function to find records with some advanced queries, such as

To find all indicators linked to an incident:

/api/3/incidents/<uuid>/indicators/

To find all malicious indicators linked to an incident:

/api/3/incidents/<uuid>/indicators/?reputation__itemValue$eq=Malicious&$relationships=true

To find all attachments of an incident that have indicators with malicious indicator linked:

/api/3/incidents/<uuid>/attachments?$relationships=true&indicators__reputation$eq=/api/3/picklists/7074e547-7785-4979-be32-c6d0c863e4bd

To find all alerts with name matching test1, test2 or test3:

/api/3/alerts?name$in=test1|test2|test3

If the filter criteria are too large, you can use a POST request instead of the GET example above.

Example.

collection: /api/query/alerts

method: POST

body: {"logic": "OR", "filters": [ {"field": "name", "operator": "eq", "value": "test1"}, {"field": "name", "operator": "eq", "value": "test2"}]}