Search Indicators

POST /1.3/indicators/search

Note

This endpoint can also be used to browse through indicators, by not applying a search term.

Warning

Can page through maximum of 10,000 IOCs for a single search. A “500” error will occur when attempting to request the page number after the page that the 10,000th IOC is on. If a query might yield more than 10k IOCs, break it into multiple smaller queries.

Warning

Time ranges are limited to 1 year maximum. To search time ranges larger than 1 year, run multiple searches.

Description

Searches for all indicators that contain the given search term. Also allows filtering by date, enclave, type, and tags. Results are ordered by last seen time, descending.

Parameters

Note: Only the searchTerm can be given either as a query string parameter (e.g. POST /indicators/search?searchTerm=test) or in the JSON body of a POST request (e.g. POST /indicators/search {"searchTerm": "abc"}). Other parameters should be passed as query string parameter.

Parameter Required Default Description
searchTerm     The string to search for, must be at least 3 characters in length. If empty or less than 3 characters, no search term will be applied, and all indicators matching the other filters will be returned.
enclaveIds   All enclaves the user has READ access to. comma-separated list of enclave ids; only indicators found in reports from these enclaves will be returned (defaults to all of user’s enclaves)
entityTypes   All entity types. comma-separated list of entity/indicator types to filter by. See “Indicator Types” on the Indicator page for the list of available indicator/entity types.
from   see table below. start of time window (Unix timestamp, milliseconds since epoch). Values more than 1 year before to will be truncated to reduce the time range to a max size of 1 year.
to   see table below. end of time window (Unix timestamp, milliseconds since epoch)
tags     a list of names of tags to filter by; only indicators containing ALL of these tags will be returned
excludedTags     indicators containing ANY of these tags will be excluded from the results.
pageNumber   0 which page of the result set to get. Careful to not page past result 10,000.
pageSize   100 The number of results per page. Max allowed size is 1000.

Searching vs. Scrolling

all = all IOCs that match other filter criteria (tags/type/enclaves)

matches = searchTerm string matches that also match other filters (tags/type/enclaves)

searchTerm from to Behavior
      all; now - 24hrs < lastSeen < now.
  y   all; “from” < lastSeen < “from” + 24hrs.
    y all; “to” - 24hours < lastSeen < “to”.
  y y

all; “from” < lastSeen < “to”.

If (“from” → “to”) > 1 year, “from” auto-adjusted to “to - 1 year”.

y     matches; now - 1year < lastSeen < now.
y y   matches; “from” < lastSeen < “from” + 24hrs.
y   y matches; “to” - 24hrs < lastSeen < “to”.
y y y

matches; “from” < lastSeen < “to”.

If (“from” → “to”) > 1 year, “from” auto-adjusted to “to - 1 year”.

Response (200)

A page of Indicator objects.

Note

priorityLevel is present in the response but is deprecated.

Example Usage: Searching

Request

curl -k -H "Authorization: Bearer {access_token}" \
   -H "Content-Type: application/json" \
   -d '{"searchTerm": "172.68.11"}'  \
   -X POST "https://api.trustar.co/api/1.3/indicators/search"

Response

{
   "pageNumber":0,
   "totalPages":1,
   "pageSize":100,
   "totalElements":4,
   "items":[
      {
         "indicatorType":"CIDR_BLOCK",
         "value":"172.68.11.219/32",
         "priorityLevel":"NOT_FOUND",
         "guid":"CIDR_BLOCK|172.68.11.219/32",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      },
      {
         "indicatorType":"IP",
         "value":"172.68.11.219",
         "priorityLevel":"NOT_FOUND",
         "guid":"IP|172.68.11.219",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      },
      {
         "indicatorType":"IP",
         "value":"172.68.11.231",
         "priorityLevel":"NOT_FOUND",
         "guid":"IP|172.68.11.231",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      },
      {
         "indicatorType":"IP",
         "value":"172.68.11.17",
         "priorityLevel":"NOT_FOUND",
         "guid":"IP|172.68.11.17",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      }
   ],
   "empty":false,
   "hasNext":false
}

Example Usage: Scrolling

Request

curl -k -H "Authorization: Bearer {access_token}" \
   -H "Content-Type: application/json" \
   -X POST "https://api.trustar.co/api/1.3/indicators/search"

Response

{
   "pageNumber":0,
   "totalPages":69735,
   "pageSize":100,
   "totalElements":6973492,
   "items":[
      {
         "indicatorType":"IP",
         "value":"45.159.255.255",
         "priorityLevel":"NOT_FOUND",
         "guid":"IP|45.159.255.255",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      },
      {
         "indicatorType":"URL",
         "value":"https://apps.db.ripe.net/search/query.html",
         "priorityLevel":"NOT_FOUND",
         "guid":"URL|https://apps.db.ripe.net/search/query.html",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      },
      {
         "indicatorType":"URL",
         "value":"http://e9.keff.org/",
         "priorityLevel":"NOT_FOUND",
         "guid":"URL|http://e9.keff.org/",
         "firstSeen": 1610726516000,
         "lastSeen": 1623772916000
      },

      [ ***100 Indicator resources in this list*** ]

   ],
   "empty":false,
   "hasNext":true
}