Search Indicators

GET /1.3/indicators/search

or

POST /1.3/indicators/search

Note

This endpoint can also be used to browse through indicators, by not applying a search term.

Warning

Returns a maximum of 10,000 results per request. Time ranges are limited to 1 year maximum. To query ranges of size larger than 1 year, break the query into multiple calls.

Description

Searches for all indicators that contain the given search term. Also allows filtering by date, enclave, and tags. Results are ordered by last seen time, descending.

Parameters

The search term can be given either as a query string parameter (e.g. GET /indicators/search?searchTerm="abc") or in the JSON body of a POST request (e.g. POST /indicators/search {"searchTerm": "abc"}).

Parameter Required Default Description
searchTerm     The term to search for. If empty, no search term will be applied, and all indicators matching the other filters will be returned. Otherwise, must be at least 3 characters in length.
enclaveIds   All enclaves the user has READ access to comma-separated list of enclave ids; only indicators found in reports from these enclaves will be returned (defaults to all of user’s enclaves)
entityTypes   All entity types comma-separated list of entity/indicator types to filter by. See “Indicator Types” on the Indicator page for the list of available indicator/entity types.
from   1 day ago start of time window (Unix timestamp - milliseconds since epoch). Values more than 1 year before to will be truncated to reduce the time range to a max size of 1 year.
to   current time end of time window (Unix timestamp - milliseconds since epoch)
tags     a list of names of tags to filter by; only indicators containing ALL of these tags will be returned
excludedTags     indicators containing ANY of these tags will be excluded from the results.
pageNumber   0 which page of the result set to get
pageSize   100 The number of results per page. Max allowed size is 1000.

Response (200)

A page of Indicator objects.

Example Usage

Request

curl -k -H "Authorization: Bearer {access_token}" \
   "https://api.trustar.co/api/1.3/indicators/search?searchTerm=abc"

Response

{
    "pageNumber": 0,
    "totalPages": 1,
    "pageSize": 25,
    "totalElements": 2,
    "items": [
        {
            "value": "95914f3cb47e2d200408456abc2fc277",
            "type": "MD5",
            "priorityLevel": "LOW"
        },
        {
            "value": "www.abcxyz1235.com",
            "type": "URL",
            "priorityLevel": "NOT_FOUND"
        }
    ]
}