Examples: Using the API to Retrieve Case Observables

You can use the Stellar Cyber API to query the DP for a detailed list of the observables associated with a specified case ID. Observables include the hosts, users, processes, files, registry keys, sensors, services, external hosts, and URLs associated with the case.

Refer to Configuring API Authentication for general requirements to use the API.

API Syntax for Retrieving Case Details

The syntax for retrieving case details via the API is as follows:

https://URL/connect/api/v1/cases/<case_id>/observables

Finding the Case ID for the Observables Query

To query for an case's observables, you must first have the case's ID. You can retrieve an case's ID using either of the following techniques:

  • Navigate to the Detail display for the case whose ID you want to retrieve. The case's ID is included in the URL for the Detail page, as shown below.

  • You can also retrieve the case ID through the cases API. Refer to the examples and instructions in Examples: Using the API to Retrieve Case Details for details on how to fetch cases through the API.

    Once you've retrieved an case whose observables you want to fetch, locate the "_id": "{case_id}" field. This is the ID you must supply when querying for observables.

Examples

The following examples show how to use the API to fetch a specified case's observables. There are separate Python scripts and cURL commands using the following details:

  • Stellar Cyber DP IP Address –192.168.11.11

  • Username:API Key – ohtani:N-YrP02Xl6yHO-1HW1gi1nems2g319Q3wLNpOAxWx9_ttbMw3pyB5qPvSVl3qt9CmgvOhHhtDCuEs5KcIn6mWw
  • Case ID – 6434c0ae91fad4e0b52bee0a

These items are shown in bold in the examples below. Replace them with your own values when constructing similar queries.

cURL

curl -k -u admin:EjbWSBPJ2DW9ynJmUZm-SXNvHVbd6iPJoItrKasnY6h-i5vz4a983FANCm55fhhsIwrcA0taKzfIEw1kLbJCjQ -i -H "Accept: application/json" -H "Content-Type: application/json" -X GET 'https://10.11.190.88/connect/api/v1/cases/6434c0ae91fad4e0b52bee0a/observables'

Python

#!/usr/bin/env python

import json

import requests

headers={'Accept': 'application/json', 'Content-type': 'application/json'}

url ='https://10.11.190.88/connect/api/v1/cases/6434c0ae91fad4e0b52bee0a/observables'

response = requests.get(url, auth=('admin', 'EjbWSBPJ2DW9ynJmUZm-SXNvHVbd6iPJoItrKasnY6h-i5vz4a983FANCm55fhhsIwrcA0taKzfIEw1kLbJCjQ'), headers = headers, verify=False)

print (response.text)

Case Information Returned by the API

The API returns the following information on the observables for the specified case. Observables are returned in field:value pairs, with fields separated from values by a colon. Separate field:value pairs are separated with commas for easy import. If a field:value pair has multiple sub-entries, they are enclosed in regular brackets. Refer to Sample Output for an example.

Refer to About the Observables Panel for information on working with the observables for an case in the user interface.

API Field Name Description
host {ip: name, hostname: label}
user

{username: name}

process {process_name: name}
file {file_name: name}
registry {key: name}
sensor

{id: name}

service

{service_name: name}

external_host

{ip: name, hostname: label}

url

{url: name}

Sample Output

The text below shows sample output of an API call for an case's observables:

"observables":{"external_host":[{"hostname":"192.34.20.100","ip":"192.34.20.100"}],"service":[{"service_name":"azure_ad"}],"user":[{"username":"qa@aella.onmicrosoft.com"}]},"total":3}