post
/indicators/search
Search indicators by filter
CURL
curl -X POST \
-H "Authorization: [[apiKey]]" \
-H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/search" \
-d '{
"ignoreWorkers" : true,
"filterobjectquery" : "filterobjectquery",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00",
"searchAfterElastic" : [ "searchAfterElastic", "searchAfterElastic" ],
"searchBefore" : [ "searchBefore", "searchBefore" ],
"laterTimeInPage" : "2000-01-23T04:56:07.000+00:00",
"period" : {
"fromValue" : "fromValue",
"toValue" : "toValue",
"byFrom" : "byFrom",
"field" : "field",
"by" : "by",
"byTo" : "byTo"
},
"searchAfterMap" : {
"key" : [ "searchAfterMap", "searchAfterMap" ]
},
"searchAfterMapOrder" : {
"key" : 1
},
"firstSeen" : {
"fromDate" : "2000-01-23T04:56:07.000+00:00",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00",
"period" : {
"fromValue" : "fromValue",
"toValue" : "toValue",
"byFrom" : "byFrom",
"field" : "field",
"by" : "by",
"byTo" : "byTo"
},
"toDate" : "2000-01-23T04:56:07.000+00:00",
"timeFrame" : 0
},
"earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00",
"query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00",
"trim_events" : 2,
"prevPage" : true,
"sort" : [ {
"asc" : true,
"field" : "field",
"fieldType" : "fieldType"
}, {
"asc" : true,
"field" : "field",
"fieldType" : "fieldType"
} ],
"timeFrame" : 5,
"fromDate" : "2000-01-23T04:56:07.000+00:00",
"lastSeen" : {
"fromDate" : "2000-01-23T04:56:07.000+00:00",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00",
"period" : {
"fromValue" : "fromValue",
"toValue" : "toValue",
"byFrom" : "byFrom",
"field" : "field",
"by" : "by",
"byTo" : "byTo"
},
"toDate" : "2000-01-23T04:56:07.000+00:00",
"timeFrame" : 0
},
"size" : 5,
"searchAfter" : [ "searchAfter", "searchAfter" ],
"accounts" : {
"key" : "{}"
},
"page" : 6,
"fields" : [ "fields", "fields" ],
"Cache" : {
"key" : [ "Cache", "Cache" ]
}
}' \
-d '
UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE
2000-01-23T04:56:07.000Z
aeiou
aeiou
2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z
123456789
2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z
true
2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z
123456789
2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z
123456789
aeiou
aeiou
aeiou
aeiou
aeiou
aeiou
true
aeiou
aeiou
aeiou
UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE
aeiou
aeiou
123456789
true
aeiou
aeiou
123456789
2000-01-23T04:56:07.000Z
123456789
'
Request
Body
optional
Cache
optional
Map
Cache of join functions
accounts
optional
Map
of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array
of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number
(Long)
A Duration represents the elapsed time between two instants
as an int64 nanosecond count. The representation limits the
largest representable duration to approximately 290 years.
format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number
(Long)
A Duration represents the elapsed time between two instants
as an int64 nanosecond count. The representation limits the
largest representable duration to approximately 290 years.
format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number
(Long)
0-based page
format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array
of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array
of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals to [prev page searchAfter]
More, there is no way to generate correct searchBefore from current page as some tenants may not appear at all.
The map is relevant in proxy mode and used by tenants, each tenant extracts the searchAfter keys from the map.
searchAfterMapOrder
optional
Map
of numbers
(Long)
format: int64
searchBefore
optional
Array
of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array
of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number
(Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will return
format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number
(Long)
A Duration represents the elapsed time between two instants
as an int64 nanosecond count. The representation limits the
largest representable duration to approximately 290 years.
format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number
(Long)
format: int64
Responses