Query for records through the REST API
The ExtraHop REST API enables you to query for records stored on a recordstore. By querying records with a REST API script, you can import records into a third party application, such as Microsoft Excel. Also, if your query matches more than the maximum number of records returned by the REST API, you can configure the script to recursively query for the remaining records. In this topic, we show methods for querying records through both the ExtraHop REST API Explorer and a Python script.
Before you begin
- You must log in to the sensor or console with an account that has full write privileges to generate an API key.
- You must have a valid API key to make changes through the REST API and complete the procedures below. (See Generate an API key.)
- Familiarize yourself with the ExtraHop REST API Guide to learn how to navigate the ExtraHop REST API Explorer.
Python script examples
The following Python scripts query for records that involve an IP address, domain name, or URI that has been identified as suspicious according to threat intelligence. The scripts then write specified record fields to a CSV file that can be viewed in a spreadsheet program.
Note: | For more information about threat intelligence with ExtraHop, see Threat intelligence and Upload STIX files through the REST API. |
Retrieve and run the example Python script for an ExtraHop recordstore
The ExtraHop GitHub repository contains an example Python script that retrieves records from an ExtraHop recordstore.
Important: | If the query matches more than the maximum number of records that can be retrieved at once, the script retrieves the remaining records by sending a cursor to the sensor or console with the POST /records/cursor operation. This operation is only valid with ExtraHop recordstore. If you have configured a third-party or a cloud recordstore, see Retrieve and run the example Python script for a third-party or cloud recordstore. |
Retrieve and run the example Python script for a third-party or cloud recordstore
The ExtraHop GitHub repository contains an example Python script that retrieves records from third-party and cloud recordstores.
Note: | If the query matches more than the maximum number of records that can be retrieved at once, the script retrieves the remaining records by sending additional requests with the offset parameter. The offset parameter skips a specified number of records in a query. |
Thank you for your feedback. Can we contact you to ask follow up questions?