Search indicators

Cortex XSOAR 6 API

post /indicators/search

Search indicators by filter

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/indicators/search" \ -d '{ "ignoreWorkers" : true, "filterobjectquery" : "filterobjectquery", "fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "searchAfterElastic" : [ "searchAfterElastic", "searchAfterElastic" ], "searchBefore" : [ "searchBefore", "searchBefore" ], "laterTimeInPage" : "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" : [ "searchAfterMap", "searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 1 }, "firstSeen" : { "fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by", "byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0 }, "earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00", "query" : "query", "searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ], "toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 2, "prevPage" : true, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" }, { "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" : 5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "lastSeen" : { "fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by", "byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0 }, "size" : 5, "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : { "key" : "{}" }, "page" : 6, "fields" : [ "fields", "fields" ], "Cache" : { "key" : [ "Cache", "Cache" ] } }' \ -d ' UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE 2000-01-23T04:56:07.000Z aeiou aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou aeiou aeiou aeiou true aeiou aeiou aeiou UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 true aeiou aeiou 123456789 2000-01-23T04:56:07.000Z 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account. There is no need to store searchBeforeMap as [current page searchBefore] equals to [prev page searchAfter] More, there is no way to generate correct searchBefore from current page as some tenants may not appear at all. The map is relevant in proxy mode and used by tenants, each tenant extracts the searchAfter keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
Responses

indicatorResult

Body
accountErrors
optional
Array of strings
iocObjects
optional
Array
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
total
optional
Number (Long)
format: int64
totalAccounts
optional
Number (Long)
format: int64