Issue
Is it possible to fetch threats by their status? This is in relation to being able to use the GET method against the /openapi/v3/detections
operation. Currently, there is only 1 query parameter which is since
, so I was wondering if we can do it by status
just like we can do with the search functionality in the UI.
Environment
Red Canary API v3
Resolution
You cannot fetch threats by their status through a query parameter. Instead, you must pull all threats from /openapi/v3/detections/summary
or /openapi/v3/detections
, and filter on "last_remediated_status":
.
Enumerate the threats you pull, and index on last_remediated_status
, which captures the following attributes:
- Reason
- Remediation State
- Marked by
If you're writing code that looks for certain attributes, be aware that you won't see the last_remediated_status
attribute at all for a returned data object that hasn't been remediated.
Cause
Other endpoints, such as /openapi/v3/endpoints
, have a "q" parameter which allows passing the same searches used in the Red Canary GUI as a string. As we work to update all forms to the new react component in the future, the /openapi/v3/detections
endpoint will also have this parameter available.
Comments
0 comments
Please sign in to leave a comment.