IndicatorFilter

Cortex XSOAR API

IndicatorFilter is a general filter that fetches entities using a query string query using the Query value
Cache
optional
Cache of join functions
accounts
optional
earlyTimeInPage
optional
format: date-time
fields
optional
filterobjectquery
optional
firstSeen
optional
DateRangeFilter
fromDate
optional
format: date-time
fromDateLicense
optional
format: date-time
ignoreWorkers
optional
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter
laterTimeInPage
optional
format: date-time
page
optional
0-based page format: int64
period
optional
Period
prevPage
optional
MT support - these fields are for indicator search according to calculatedTime
query
optional
searchAfter
optional
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map accounts search after values - stores next page sort values per account. There is no need to store searchBeforeMap as [current page searchBefore] equals to [prev page searchAfter] More, there is no way to generate correct searchBefore from current page as some tenants may not appear at all. The map is relevant in proxy mode and used by tenants, each tenant extracts the searchAfter keys from the map.
searchAfterMapOrder
optional
format: int64
searchBefore
optional
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Efficient prev page, pass min ES sort value from next page
size
optional
Size is limited to 1000, if not passed it defaults to 0, and no results will return format: int64
sort
optional
array[Order] The sort order
timeFrame
optional
A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. format: int64
toDate
optional
format: date-time
trim_events
optional
format: int64