Query for records through the REST API
The ExtraHop REST API enables you to query for records stored on a recordstore. By querying records with a REST API script, you can import records into a third party application, such as Microsoft Excel. Also, if your query matches more than the maximum number of records returned by the REST API, you can configure the script to recursively query for the remaining records. In this topic, we show methods for querying records through both the ExtraHop REST API Explorer and a Python script.
Before you begin
- You must log in to the ExtraHop system with an account that has full write privileges to generate an API key.
- You must have a valid API key to make changes through the REST API and complete the procedures below. (See Generate an API key.)
- Familiarize yourself with the ExtraHop REST API Guide to learn how to navigate the ExtraHop REST API Explorer.
Query records through the REST API Explorer
Important: | The REST API Explorer is not available on Reveal(x) 360. |
Python script examples
The following Python scripts query for records that involve an IP address, domain name, or URI that has been identified as suspicious according to threat intelligence. The scripts then write specified record fields to a CSV file that can be viewed in a spreadsheet program.
Note: | For more information about threat intelligence with ExtraHop, see Threat intelligence and Upload STIX files through the REST API. |
Retrieve and run the example Python script for an Explore appliance
The ExtraHop GitHub repository contains an example Python script that retrieves records from an Explore appliance.
Important: | If the query matches more than the maximum number of records that can be retrieved at once, the script retrieves the remaining records by sending a cursor to the ExtraHop system with the POST /records/cursor operation. This operation is only valid with Explore appliances. If you have configured a third-party or cloud recordstore, see Retrieve and run the example Python script for a third-party or cloud recordstore. |
Important: | The example python script authenticates to the ExtraHop system through an API key, which is not compatible with the Reveal(x) 360 REST API. To run this script with Reveal(x) 360, you must modify the script to authenticate with API tokens. See the py_rx360_auth.py script in the ExtraHop GitHub repository for an example of how to authenticate with API tokens. |
Retrieve and run the example Python script for a third-party or cloud recordstore
The ExtraHop GitHub repository contains an example Python script that retrieves records from third-party and cloud recordstores.
Important: | The example python script authenticates to the ExtraHop system through an API key, which is not compatible with the Reveal(x) 360 REST API. To run this script with Reveal(x) 360, you must modify the script to authenticate with API tokens. See the py_rx360_auth.py script in the ExtraHop GitHub repository for an example of how to authenticate with API tokens. |
Note: | If the query matches more than the maximum number of records that can be retrieved at once, the script retrieves the remaining records by sending additional requests with the offset parameter. The offset parameter skips a specified number of records in a query. |
Thank you for your feedback. Can we contact you to ask follow up questions?