post
/public_api/v1/indicators/get
Get a list of IOCs. You can return all IOCs or filter results. You can also return extended results with all details included.
- The response is concatenated using AND condition (OR is not supported).
- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.
UI navigation: CORTEX > Threat Management > Detection Rules > IOC.
You must have Rules Edit permissions to run this endpoint.
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/indicators/get'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"extended_view\":true,\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":[null]}],\"search_from\":0,\"search_to\":0}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/indicators/get", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/indicators/get")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"extended_view\":true,\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":[null]}],\"search_from\":0,\"search_to\":0}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"extended_view": true,
"filters": [
{
"field": "indicator",
"operator": "EQ",
"value": [
null
]
}
],
"search_from": 0,
"search_to": 0
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/indicators/get");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/indicators/get")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"extended_view\":true,\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":[null]}],\"search_from\":0,\"search_to\":0}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"extended_view": true,
"filters": [
[
"field": "indicator",
"operator": "EQ",
"value": []
]
],
"search_from": 0,
"search_to": 0
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/indicators/get")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/indicators/get",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"extended_view\":true,\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":[null]}],\"search_from\":0,\"search_to\":0}}",
CURLOPT_HTTPHEADER => [
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/indicators/get");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"extended_view\":true,\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":[null]}],\"search_from\":0,\"search_to\":0}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/indicators/get");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"extended_view\":true,\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":[null]}],\"search_from\":0,\"search_to\":0}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobjectrequired
extended_viewboolean
filtersarrayAn array of filter fields.
An array of filter fields.
[fieldstring (Enum)
operatorstring (Enum)
valueobject
integer
string
boolean
]
fieldstring (Enum)Identifies the IOC field the filter is matching. Filters are based on the following keywords:
indicator: Indicator.type: Indicator type.severity: Indicator severity.expiration_date: Expiration date in epoch milliseconds.default_expiration_enabled: Whether the default expiration is enabled.comment: Comment.reputation: Reputation level.reliability: Reliability level.
Identifies the IOC field the filter is matching. Filters are based on the following keywords:
indicator: Indicator.type: Indicator type.severity: Indicator severity.expiration_date: Expiration date in epoch milliseconds.default_expiration_enabled: Whether the default expiration is enabled.comment: Comment.reputation: Reputation level.reliability: Reliability level.
Allowed values:"indicator""type""severity""expiration_date""default_expiration_enabled""comment""reputation""reliability"
operatorstring (Enum)Identifies the comparison operator you want to use for this filter. Valid keywords are:
gte / lte
expiration_date: Integer in timestamp epoch milliseconds
EQ / NEQindicator: Stringtype: Stringseverity: Stringdefault_expiration_enabled: Booleancomment: Stringreputation: Stringreliability: String
Identifies the comparison operator you want to use for this filter. Valid keywords are:
gte / lte
expiration_date: Integer in timestamp epoch millisecondsEQ/NEQindicator: Stringtype: Stringseverity: Stringdefault_expiration_enabled: Booleancomment: Stringreputation: Stringreliability: String
Allowed values:"EQ""NEQ""IN""GTE""LTE"
valueobjectValue that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator, comment: String.type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value: true or false.comment: String.reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.reliability: String, can be one of the following: A, B, C, D, E, F, G.
Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator,comment: String.type: String, can be one of the following:hash,ip,path,domain_name,filename,mixed.severity: String, can be one of the following:SEV_010_INFO,SEV_020_LOW,SEV_030_MEDIUM,SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value:trueorfalse.comment: String.reputation: String, can be one of the following:good,bad,suspicious,unknown,no_reputation.reliability: String, can be one of the following:A,B,C,D,E,F,G.
[]
integerValue that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator, comment: String.type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value: true or false.comment: String.reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.reliability: String, can be one of the following: A, B, C, D, E, F, G.
Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator,comment: String.type: String, can be one of the following:hash,ip,path,domain_name,filename,mixed.severity: String, can be one of the following:SEV_010_INFO,SEV_020_LOW,SEV_030_MEDIUM,SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value:trueorfalse.comment: String.reputation: String, can be one of the following:good,bad,suspicious,unknown,no_reputation.reliability: String, can be one of the following:A,B,C,D,E,F,G.
stringValue that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator, comment: String.type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value: true or false.comment: String.reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.reliability: String, can be one of the following: A, B, C, D, E, F, G.
Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator,comment: String.type: String, can be one of the following:hash,ip,path,domain_name,filename,mixed.severity: String, can be one of the following:SEV_010_INFO,SEV_020_LOW,SEV_030_MEDIUM,SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value:trueorfalse.comment: String.reputation: String, can be one of the following:good,bad,suspicious,unknown,no_reputation.reliability: String, can be one of the following:A,B,C,D,E,F,G.
booleanValue that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator, comment: String.type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value: true or false.comment: String.reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.reliability: String, can be one of the following: A, B, C, D, E, F, G.
Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:
indicator,comment: String.type: String, can be one of the following:hash,ip,path,domain_name,filename,mixed.severity: String, can be one of the following:SEV_010_INFO,SEV_020_LOW,SEV_030_MEDIUM,SEV_040_HIGHexpiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.default_expiration_enabled: Boolean value:trueorfalse.comment: String.reputation: String, can be one of the following:good,bad,suspicious,unknown,no_reputation.reliability: String, can be one of the following:A,B,C,D,E,F,G.
search_fromintegerInteger representing the starting offset within the query result set from which you want indicators returned.
Indicators are returned as a zero-based list. Any indicator indexed less than this value is not returned in the final result set and defaults to zero.
Integer representing the starting offset within the query result set from which you want indicators returned. Indicators are returned as a zero-based list. Any indicator indexed less than this value is not returned in the final result set and defaults to zero.
search_tointegerInteger representing the end offset within the result set after which you do not want indicators returned.
Indicators in the indicator list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all indicators to the end of the list.
Integer representing the end offset within the result set after which you do not want indicators returned. Indicators in the indicator list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all indicators to the end of the list.
REQUEST
{
"request_data": {
"extended_view": false,
"filters": [
{
"field": "indicator",
"operator": "IN",
"value": [
57
]
}
]
}
}Responses
OK
Body
application/json
objects_countinteger
objectsarray
[rule_idinteger
indicatorstring
typestring
severitystring
expiration_dateinteger
commentstring
]
rule_idinteger
indicatorstring
typestring
severitystring
expiration_dateinteger
commentstring
objects_typestring
RESPONSE
{
"objects_count": 1,
"objects": [
{
"rule_id": 57,
"indicator": "virus1.exe",
"type": "FILENAME",
"severity": "SEV_040_HIGH",
"expiration_date": -1,
"comment": "test"
}
],
"objects_type": "indicator"
}Bad Request. Got invalid JSON.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}