API Query to Fetch Module Data

Question

I am using the following URLs in Postman to fetch alert records where `recordTags` contains both "FortiSIEM" and "Fortigate" tags and not contains 'SNOW' tag:

1. `https://1.1.1.1/api/3/alerts?recordTags=FortiSIEM&Fortigate`
2. `https://1.1.1.1/api/3/alerts?recordTags$in=FortiSIEM&Fortigate`
3. `https://1.1.1.1/api/3/alerts?recordTags$in=FortiSIEM&recordTags$in=Fortigate&recordTags$neq=SNOW

However, these URLs are returning all records with "FortiSIEM" in the `recordTags` field, instead of filtering for particular record contains both "FortiSIEM" and "Fortigate" tagging. The `&` operator should work as an AND condition, but it is not filtering the data correctly. The same thing is observed in the FortiSOAR UI. Attaching the screenshot for the same.

The expected response should contain the below field with the same detail:

"recordTags": [
"FortiSIEM",
"Fortigate"
]
Can someone help me to form the correct API URL?
Note: I am sharing the document link that I had followed: https://docs.fortinet.com/document/fortisoar/7.6.1/api-guide/304651/query-api-reference#Apply_Basic_Query

jankit6 · Answer

Hello @bidisha-spryiq  This is the default behavior by design, where the AND condition does not apply to the tags field.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded