CTI Butler API?

I recently read your post;

Which contains a lot of CTI Butler queries.

I am just getting my head around the query language, but I was wondering if there is anyway to run these queries outside of the UI. Perhaps via an API?

Hey @0101001001001 ,

Yes, there’s an API you can use to run the queries.

I’ll use the locations data in CTI Butler as an example to demonstrate…

The locations data is held in an database called cti and in two collections

  1. locations_edge_collection: STIX relationship objects
  2. locations_vertex_collection: all other STIX objects

So a query might look like this

FOR doc IN locations_vertex_collection
  FILTER doc.type == "location" 
  AND CONTAINS(doc.name, "United")
  RETURN doc.name
[
  "Tanzania, United Republic of",
  "United States of America",
  "United Arab Emirates",
  "United States Minor Outlying Islands",
  "United Kingdom of Great Britain and Northern Ireland"
]

To run this query via the API you need your CTI Butler credentials encoded as base64

curl -X POST \
  -H "Authorization: Basic USER:PASS_BASE64_ENCODED" \
  --data '{"query":"FOR doc IN locations_vertex_collection FILTER doc.type == \"location\" AND CONTAINS(doc.name, \"United\") RETURN doc.name"}' \
  https://data.ctibutler.com/_db/cti_database/_api/cursor

Which returns:

{"result":["Tanzania, United Republic of","United States of America","United Arab Emirates","United States Minor Outlying Islands","United Kingdom of Great Britain and Northern Ireland"],"hasMore":false,"cached":false,"extra":{"warnings":[],"stats":{"writesExecuted":0,"writesIgnored":0,"scannedFull":293,"scannedIndex":0,"cursorsCreated":0,"cursorsRearmed":0,"cacheHits":0,"cacheMisses":0,"filtered":288,"httpRequests":0,"executionTime":7.258330006152391e-4,"peakMemoryUsage":32768}},"error":false,"code":201}%

The data you want is inside the result object.