POST
/
search
/

Authorizations

Authorization
string
headerrequired

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Query Parameters

fields
string[]

Fields to includes in the results in a dotted form. For example, "data.actor_name" will include items similar to:json "items": [{ "data": { "actor_name": "Seller123" } }] 

    By default, all fields are included in the response.
time
string

The time parameter is used to limit results to those found in the provided time span.

Expected format : from@to

Example value : 2019-09-03T04:00:00.000Z@2019-09-14T04:00:00.000Z

size
integer
default: 10

The size parameter is used to limit the number of results returned for the search query.

search_after
string

The search_after parameter is used to paginate through results.

To get the first page of results, omit this parameter. Afterward, include the search_after parameter in your next request with the latest response's search_after value to get the next page of results.

from
string

The from parameter is used to paginate through results.

To get the first page of results, omit this parameter. Afterward, include the from parameter in your next request with the latest response's next value to get the next page of results.

tags
string[]

User defined tags used to filter search results

tags_query_operator
string

User defined operator to apply to tags filter

types
string[]

Type of activities to search through.

Expected values : attachment, listing, ransomleak, forum_post, forum_topic, forum_profile, blog_post, seller, paste, leak, chat_message, chat_message/telegram, domain, bot, stealer_log, infected_devices, driller, driller_forum_topic, driller_forum_post, driller_profile, cc, ccbin, financial_data, leaked_data, leaked_file, document, account, actor, forum_content, blog_content, profile, illicit_networks, open_web, domains, leaks, social_media_account, social_media_profile, social_media_post, social_media, source_code, source_code_secrets, source_code_files, stack_exchange, google, service, driller_host, buckets, bucket, bucket_object, whois, ad, ads, experimental

Some search types contain others

  • illicit_networks: seller, listing, bot, ransomleak, forum_profile, forum_post, forum_topic, financial_data, blog_post, chat_message, stealer_log
  • open_web: paste, bucket, google, bucket_object, source_code_files, social_media, stack_exchange, source_code_secrets, service
  • leaks: leak
  • domains: domain
experimental_types
string[]

Type of experimental activities to search through.

event_action
enum<string>
Available options:
default,
ignored,
remediated,
risk_score_edited,
exclude_ignored,
ignored_or_remediated
event_actions
string[]
risks
integer[]
order
enum<string>
default: desc
Available options:
asc,
desc
sort_by
enum<string>
default: created
Available options:
created,
indexed,
updated,
alertable-materialized,
materialized,
searchable
use_global_policies
boolean
default: true
time_zone
string

The time zone used to compute the statistics.

query
string

Query used to filter results. Search query uses the Lucene query syntax.

has_modified_risk_score
boolean
default: false
has_notes
boolean
default: false

Response

200 - application/json
items
object[]
links
object
nb_hits
integer
search_after
string

Was this page helpful?

SearchList Identifiers