I'm trying to query multiple artifacts across multiple incidents at once with the goal of retrieving either all artifacts or all artifacts related to a list of incidents. In the documentation I see this url as an option to make a client.post to "/orgs/{org_id}/artifacts/query_paged" and I can't seem to make it return anything other than: {'recordsTotal': 0, 'recordsFiltered': 0, 'data': []}. This is also the case in the interactive REST API as well as with this code below. It certainly does not seem to behave the same way as the incidents/query_paged url.

I've tried many different payloads with no luck. If anyone could provide some guidance on how to structure the payload that would be much appreciated. Below is an example of one of the many things I've tried which resulted in the above return.

body = {

        "start": 1,

        "length": -1,

        "recordsTotal": 1000,

        "filters" : [

            {

                "conditions" : [{"field_name" : "inc_id", "method": "in", "value": ids}]

            }

        ]

    }

incidents_paged = client.post("/incidents/query_paged?return_level=full", payload=body, timeout=timeout)

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi Jason,

An alternative is to use search_ex. Here's a query to find an artifact value across different incidents:

/rest/search_ex

{
  "query": "abc",
  "org_id": 202,
  "filters": {
    "incident": [
      {
        "conditions": [
          {"field_name" : "id", "method": "in", "value": [2095,2096] }
        ]
      }
    ],
    "artifact": [
      {
        "conditions": [
          
        ]
      }
    ]
  },
  "types": [
    "artifact"
  ]
}​

------------------------------
Mark Scherfling
------------------------------

Original Message:
Sent: Tue May 24, 2022 10:38 AM
From: Jason Jemmott
Subject: Using query_paged for artifacts

I'm trying to query multiple artifacts across multiple incidents at once with the goal of retrieving either all artifacts or all artifacts related to a list of incidents. In the documentation I see this url as an option to make a client.post to "/orgs/{org_id}/artifacts/query_paged" and I can't seem to make it return anything other than: {'recordsTotal': 0, 'recordsFiltered': 0, 'data': []}. This is also the case in the interactive REST API as well as with this code below. It certainly does not seem to behave the same way as the incidents/query_paged url.

I've tried many different payloads with no luck. If anyone could provide some guidance on how to structure the payload that would be much appreciated. Below is an example of one of the many things I've tried which resulted in the above return.

body = {

        "start": 1,

        "length": -1,

        "recordsTotal": 1000,

        "filters" : [

            {

                "conditions" : [{"field_name" : "inc_id", "method": "in", "value": ids}]

            }

        ]

    }

incidents_paged = client.post("/incidents/query_paged?return_level=full", payload=body, timeout=timeout)

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------