Artifact ID? #514

philldtaylor · 2022-01-12T10:56:56Z

philldtaylor
Jan 12, 2022

Hi,

I'm attempting to use the 'GetArtifacts' falcon command (using the uber class) to pull down IOCs from samples i've submitted to the sandbox, however i need to pass an Artifact ID in the request.

The docs say that this ID should be in the response from GetReports or GetSummaryReports but i don't see it - the response to GetReports/GetSummaryReports is a short JSON object and the only IDs in there are the 'X-Cs-Traceid' and 'traceid'.

Does anyone have any experience using GetArtifacts please?

Answered by jshcodes

Jan 12, 2022

Hi @philldtaylor!

Try this sample and let us know if it helps. Currently configured to download both types of the four formats (broad and strict for csv, json, stix and maec).

import json
from falconpy import FalconXSandbox

sandbox = FalconXSandbox(client_id="CLIENT_ID_HERE",
                         client_secret="CLIENT_SECRET_HERE"
                         )

FORMATS = ["csv", "json", "stix", "maec"]
TYPES = ["broad", "strict"]

# Get a list of available reports
reports = sandbox.query_reports()   # Use the filter parameter to prune this initial list

# Just grabbing the first one for our example
report_id = reports["body"]["resources"][0]

# Retrieve report details for this report
re…

View full answer

jshcodes · 2022-01-12T17:34:08Z

jshcodes
Jan 12, 2022
Maintainer

Hi @philldtaylor!

Try this sample and let us know if it helps. Currently configured to download both types of the four formats (broad and strict for csv, json, stix and maec).

import json
from falconpy import FalconXSandbox

sandbox = FalconXSandbox(client_id="CLIENT_ID_HERE",
                         client_secret="CLIENT_SECRET_HERE"
                         )

FORMATS = ["csv", "json", "stix", "maec"]
TYPES = ["broad", "strict"]

# Get a list of available reports
reports = sandbox.query_reports()   # Use the filter parameter to prune this initial list

# Just grabbing the first one for our example
report_id = reports["body"]["resources"][0]

# Retrieve report details for this report
report_details = sandbox.get_reports(ids=report_id)

artifacts_to_retrieve = []

for key, val in report_details["body"]["resources"][0].items():
    for format in FORMATS:
        for type_ in TYPES:
            check = f"{type_}_{format}_artifact_id"
            if check in key:
                artifacts_to_retrieve.append(val)

for artifact in artifacts_to_retrieve:
    content = sandbox.get_artifacts(id=artifact)
    if isinstance(content, dict):
        with open(artifact, "w") as save_file:
            if isinstance(content["body"], list):
                json.dump(content["body"], save_file)
            else:
                if "objects" in content["body"]:
                    json.dump(content["body"]["objects"], save_file)
                if "observable_objects" in content["body"]:
                    json.dump(content["body"]["observable_objects"], save_file)
    else:
        with open(artifact, "wb") as save_file:
            save_file.write(content)
    print(f"Downloaded {artifact}")

print("Downloads complete.")

0 replies

philldtaylor · 2022-01-12T19:17:10Z

philldtaylor
Jan 12, 2022
Author

Hi @jshcodes

That worked great. Thanks very much for the help.

Phill

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Artifact ID? #514

{{title}}

Replies: 2 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Artifact ID? #514

philldtaylor Jan 12, 2022

Replies: 2 comments

jshcodes Jan 12, 2022 Maintainer

philldtaylor Jan 12, 2022 Author

philldtaylor
Jan 12, 2022

jshcodes
Jan 12, 2022
Maintainer

philldtaylor
Jan 12, 2022
Author