Trending Actors

To monitor for trending actors, use the actors index page, with the 'sort' parameter set to one of the following:

trending_1d
trending_7d
trending_30d

Threat Actors Index

get

Endpoint to browse for threat actors, with filters on some criteria.

Query parameters

filterstringOptional

A string used to filter threat actors. It can start with specific prefixes to indicate the type of filter:

name:: Filter by Name, case-insensitive.
uuid:: Filter by UUID, case-insensitive.
internal_name:: Filter by internal_name (exact match).
desc:: Filter by description (searches both description and gen_description fields). If no prefix is provided, it defaults to filtering on the display_name or name fields. Examples:
name:APT
name:lazarus_group
internal_name:m-threat-actor-happy-yellow-dog-a123
lazarus_group
Lazarus Group

offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0

sortstringOptional

Field to sort by - either name, created_at, updated_at, enriched_at, trending_1d, trending_7d, or trending_30d

orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$

limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100

include_mergedbooleanOptional

Include entities that have been merged into other entities

Default: false

followedbooleanOptional

When true, returns only threat actors that the tenant is following

Default: false

motivationany ofOptional

Filter on the motivation field by exact match

stringOptional

nullOptional

motivation__neqany ofOptional

Filter on the motivation field for items not equal to the given value

stringOptional

nullOptional

motivation__inany ofOptional

Filter on the motivation field for items that match any value in a comma-separated list

stringOptional

nullOptional

motivation__not_inany ofOptional

Filter on the motivation field for items that do not match any value in a comma-separated list

stringOptional

nullOptional

motivation__likeany ofOptional

Filter on the motivation field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional

nullOptional

motivation__ilikeany ofOptional

Filter on the motivation field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional

nullOptional

sponsorany ofOptional

Filter on the sponsor field by exact match

stringOptional

nullOptional

sponsor__neqany ofOptional

Filter on the sponsor field for items not equal to the given value

stringOptional

nullOptional

sponsor__inany ofOptional

Filter on the sponsor field for items that match any value in a comma-separated list

stringOptional

nullOptional

sponsor__not_inany ofOptional

Filter on the sponsor field for items that do not match any value in a comma-separated list

stringOptional

nullOptional

sponsor__likeany ofOptional

Filter on the sponsor field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional

nullOptional

sponsor__ilikeany ofOptional

Filter on the sponsor field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional

nullOptional

family_nameany ofOptional

Filter on the family_name field by exact match

stringOptional

nullOptional

family_name__neqany ofOptional

Filter on the family_name field for items not equal to the given value

stringOptional

nullOptional

family_name__inany ofOptional

Filter on the family_name field for items that match any value in a comma-separated list

stringOptional

nullOptional

family_name__not_inany ofOptional

Filter on the family_name field for items that do not match any value in a comma-separated list

stringOptional

nullOptional

family_name__likeany ofOptional

Filter on the family_name field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional

nullOptional

family_name__ilikeany ofOptional

Filter on the family_name field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional

nullOptional

enriched_at__gteany ofOptional

Filter on the enriched_at field for items greater than or equal to the given value

string · date-timeOptional

nullOptional

enriched_at__ltany ofOptional

Filter on the enriched_at field for items less than the given value

string · date-timeOptional

nullOptional

created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional

nullOptional

created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional

nullOptional

updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional

nullOptional

updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional

nullOptional

Responses

200

Successful Response

application/json

404

Not found

422

Validation Error

application/json

get

/v1/actors

GET /v1/actors HTTP/1.1
Accept: */*

{
  "total": 1,
  "offset": 1,
  "limit": 1,
  "message": "text",
  "data": [
    {
      "uuid": "text",
      "created_at": "2026-02-04T04:31:23.599Z",
      "updated_at": "2026-02-04T04:31:23.599Z",
      "enriched_at": "2026-02-04T04:31:23.599Z",
      "internal_name": "text",
      "merged_into_uuid": "text",
      "merged_at": "2026-02-04T04:31:23.599Z",
      "merged_reason": "text",
      "name": "text",
      "description": "text",
      "display_name": "text",
      "misp_uuid": "text",
      "motivation": "text",
      "sponsor": "text",
      "family_name": "text",
      "gen_description": "text",
      "image_s3_key": "text",
      "followed": false
    }
  ]
}

Once you've identified the ideal aperature, and you'd like more detail about /why/ they are trending, you can simply build a list of the actor uuids and request each one individually, the response contains the recent mentions.

Lookup Threat Actor

get

Path parameters

identifierstringRequired

The unique UUID or name of the threat actor to retrieve

Responses

200

Successful Response

application/json

404

Not found

422

Validation Error

application/json

get

/v1/actors/{identifier}

GET /v1/actors/{identifier} HTTP/1.1
Accept: */*

{
  "uuid": "text",
  "created_at": "2026-02-04T04:31:23.599Z",
  "updated_at": "2026-02-04T04:31:23.599Z",
  "enriched_at": "2026-02-04T04:31:23.599Z",
  "internal_name": "text",
  "merged_into_uuid": "text",
  "merged_at": "2026-02-04T04:31:23.599Z",
  "merged_reason": "text",
  "name": "text",
  "description": "text",
  "display_name": "text",
  "misp_uuid": "text",
  "motivation": "text",
  "sponsor": "text",
  "family_name": "text",
  "gen_description": "text",
  "image_s3_key": "text",
  "followed": false,
  "mentions_count": 0,
  "mentions": [
    {
      "uuid": "text",
      "entity_type": "text",
      "entity_uuid": "text",
      "created_at": "2026-02-04T04:31:23.599Z",
      "updated_at": "2026-02-04T04:31:23.599Z",
      "published_at": "2026-02-04T04:31:23.599Z",
      "overview": "text",
      "context": "text",
      "merged_from_uuid": "text",
      "reference_uuid": "text",
      "reference_url": "text",
      "reference_source": "text",
      "reference_user_generated_content": true,
      "reference_topic": "text",
      "threat_actor_uuid": "text",
      "threat_actor_name": "text",
      "threat_actor_display_name": "text"
    }
  ],
  "aliases": [
    {
      "external_name": "text",
      "internal_name": "text",
      "external_namespace": "text",
      "external_display_name": "text",
      "type": "text",
      "provenance": "text",
      "uuid": "text",
      "deprecated_at": "2026-02-04T04:31:23.599Z",
      "created_at": "2026-02-04T04:31:23.599Z",
      "updated_at": "2026-02-04T04:31:23.599Z"
    }
  ],
  "observable_type_counts": {
    "ANY_ADDITIONAL_PROPERTY": 1
  }
}

Last updated 3 months ago

hashtagThreat Actors Index

hashtagLookup Threat Actor

Threat Actors Index

Lookup Threat Actor