search
HomeBack to App

API Reference

hashtag
Threat Actors Index

get

Endpoint to browse for threat actors, with filters on some criteria.

Query parameters
filterstringOptional

A string used to filter threat actors. It can start with specific prefixes to indicate the type of filter:

  • name:: Filter by Name, case-insensitive.
  • uuid:: Filter by UUID, case-insensitive.
  • internal_name:: Filter by internal_name (exact match).
  • desc:: Filter by description (searches both description and gen_description fields). If no prefix is provided, it defaults to filtering on the display_name or name fields. Examples:
  • name:APT
  • name:lazarus_group
  • internal_name:m-threat-actor-happy-yellow-dog-a123
  • lazarus_group
  • Lazarus Group
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
sortstringOptional

Field to sort by - either name, created_at, updated_at, enriched_at, trending_1d, trending_7d, or trending_30d

Default: created_atPattern: ^(name|created_at|updated_at|enriched_at|trending_1d|trending_7d|trending_30d)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
include_mergedbooleanOptional

Include entities that have been merged into other entities

Default: false
followedbooleanOptional

When true, returns only threat actors that the tenant is following

Default: false
motivationany ofOptional

Filter on the motivation field by exact match

stringOptional
or
nullOptional
motivation__neqany ofOptional

Filter on the motivation field for items not equal to the given value

stringOptional
or
nullOptional
motivation__inany ofOptional

Filter on the motivation field for items that match any value in a comma-separated list

stringOptional
or
nullOptional
motivation__not_inany ofOptional

Filter on the motivation field for items that do not match any value in a comma-separated list

stringOptional
or
nullOptional
motivation__likeany ofOptional

Filter on the motivation field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional
or
nullOptional
motivation__ilikeany ofOptional

Filter on the motivation field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional
or
nullOptional
sponsorany ofOptional

Filter on the sponsor field by exact match

stringOptional
or
nullOptional
sponsor__neqany ofOptional

Filter on the sponsor field for items not equal to the given value

stringOptional
or
nullOptional
sponsor__inany ofOptional

Filter on the sponsor field for items that match any value in a comma-separated list

stringOptional
or
nullOptional
sponsor__not_inany ofOptional

Filter on the sponsor field for items that do not match any value in a comma-separated list

stringOptional
or
nullOptional
sponsor__likeany ofOptional

Filter on the sponsor field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional
or
nullOptional
sponsor__ilikeany ofOptional

Filter on the sponsor field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional
or
nullOptional
family_nameany ofOptional

Filter on the family_name field by exact match

stringOptional
or
nullOptional
family_name__neqany ofOptional

Filter on the family_name field for items not equal to the given value

stringOptional
or
nullOptional
family_name__inany ofOptional

Filter on the family_name field for items that match any value in a comma-separated list

stringOptional
or
nullOptional
family_name__not_inany ofOptional

Filter on the family_name field for items that do not match any value in a comma-separated list

stringOptional
or
nullOptional
family_name__likeany ofOptional

Filter on the family_name field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional
or
nullOptional
family_name__ilikeany ofOptional

Filter on the family_name field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional
or
nullOptional
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/actors

hashtag
Lookup Vulnerable Technology Product Configuration Set

get

Get a specific vulnerable technology product configuration set by ID or UUID.

Path parameters
identifierstringRequired

The unique identifier (uuid or id) of the configuration set to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerable_technology_product_configuration_sets/{identifier}

hashtag
Get By Vulnerability

get

Get all configuration sets for a specific vulnerability.

Path parameters
vulnerability_uuidstring · uuidRequired

The vulnerability UUID to retrieve configuration sets for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerable_technology_product_configuration_sets/by-vulnerability/{vulnerability_uuid}

hashtag
Single Vulnerability Technology Product Advisories

get
Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/vulnerabilities/{identifier}/technology_product_advisories
No content

hashtag
Single Vulnerability Products

get
Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}/products

hashtag
Single Vulnerability Observables

get

Get observables (IoCs) linked to a specific vulnerability.

Returns indicators of compromise such as IP addresses, domains, hashes, and URLs that have been associated with this vulnerability.

Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(type|name|created_at|published_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'type:ip.v4', 'type:domain', 'type:hash.sha256')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}/observables

hashtag
Single Vulnerability Mentions

get
Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|source)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'user_generated_content:true' or 'user_generated_content:false')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}/mentions

hashtag
Export Vulnerability

get

Export complete vulnerability intelligence with all related entities.

Returns the vulnerability data along with arrays of:

  • exploits: Known exploits targeting this vulnerability

  • exploitations: Recorded exploitation incidents

  • mentions: References in threat intelligence sources

  • detection_signatures: Detection rules for this vulnerability

  • vulnerable_configurations: Affected product configurations

  • advisories: Vendor security advisories

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/vulnerabilities/{identifier}/export
No content

hashtag
Single Vulnerability Configurations

get
Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by - created_at, updated_at, vendor, product_name, or product_type

Default: created_atPattern: ^(created_at|updated_at|vendor|product_name|product_type)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'vulnerable:true' or 'vulnerable:false')

typestringOptional

Output model type

Default: detailedPattern: ^(basic|detailed)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}/configurations

hashtag
Single Vulnerability Detection Signatures

get
Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(created_at|updated_at|source|method|upstream_id)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'method:snort')

typestringOptional

Output model type

Default: basicPattern: ^(basic|detailed)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}/detection_signatures

hashtag
Single Vulnerability

get
Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}

hashtag
Trending Diff Endpoint

get

Compare trending vulnerabilities between two adjacent time periods.

"Trending" is defined as the top N entities by mention count, where N is controlled by the trending_limit parameter (default: 10).

Uses a sliding window approach where the current period ends at now, and the baseline period ends where the current period starts.

Returns items categorized as:

  • newly_trending: In top N current but not in top N baseline

  • no_longer_trending: In top N baseline but not in top N current

  • still_trending: In top N for both periods

Example with window=1d, trending_limit=20:

  • current_period: (now - 1 day) to now, top 20 by mentions

  • baseline_period: (now - 2 days) to (now - 1 day), top 20 by mentions

Query parameters
windowstringOptional

Time window for comparison. Format: '' where unit is 'd' (days) or 'h' (hours). Examples: '1d', '12h', '7d'. Maximum: 30d or 720h. Default: '1d'.

Default: 1dPattern: ^\d+[dh]$
trending_limitinteger · min: 1 · max: 100Optional

Maximum number of entities to consider as 'trending' per period. Only the top N entities by mention count are compared. Default: 10.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/trending/diff

hashtag
Vulnerabilities Index

get

Endpoint to browse vulnerabilities, with filters on some criteria.

Query parameters
filterstringOptional

A string used to filter vulnerabilities. It can start with specific prefixes to indicate the type of filter:

  • cve:: Filter by CVE ID.
  • uuid:: Filter by UUID.
  • internal_name:: Filter by internal_name (exact match).
  • desc:: Filter by description (searches both description and gen_description fields).
  • gen_display_name:: Filter by gen_display_name.
  • cisa_kev:: Filter by cisa_kev.
  • state:: Filter by state.
  • If the filter string matches the pattern CVE- or a UUID pattern, it will be treated as a specific filter.
  • If no prefix is provided, it defaults to a description filter (searches both description fields).
sortstringOptional

Field to sort by - either cve_id, gen_cwe_id, state, created_at, updated_at, enriched_at, published_at, cvss_base_score, cvss_version, epss_score, epss_percentile, trending_1d, trending_7d, or trending_30d

Default: created_atPattern: ^(cve_id|gen_cwe_id|state|created_at|updated_at|enriched_at|published_at|cvss_base_score|cvss_version|epss_score|epss_percentile|trending_1d|trending_7d|trending_30d)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
include_mergedbooleanOptional

Include entities that have been merged into other entities

Default: false
followedbooleanOptional

When true, returns only vulnerabilities that the tenant is following

Default: false
cvss_base_scoreany ofOptional

Filter on the cvss_base_score field by exact match

numberOptional
or
nullOptional
cvss_base_score__neqany ofOptional

Filter on the cvss_base_score field for items not equal to the given value

numberOptional
or
nullOptional
cvss_base_score__gtany ofOptional

Filter on the cvss_base_score field for items greater than the given value

numberOptional
or
nullOptional
cvss_base_score__gteany ofOptional

Filter on the cvss_base_score field for items greater than or equal to the given value

numberOptional
or
nullOptional
cvss_base_score__ltany ofOptional

Filter on the cvss_base_score field for items less than the given value

numberOptional
or
nullOptional
cvss_base_score__lteany ofOptional

Filter on the cvss_base_score field for items less than or equal to the given value

numberOptional
or
nullOptional
cvss_base_score__isnullany ofOptional

Filter on the cvss_base_score field for items that are NULL (true) or NOT NULL (false)

booleanOptional
or
nullOptional
cvss_base_score__existsany ofOptional

Filter on the cvss_base_score field for items that exist (true/false)

booleanOptional
or
nullOptional
epss_scoreany ofOptional

Filter on the epss_score field by exact match

numberOptional
or
nullOptional
epss_score__neqany ofOptional

Filter on the epss_score field for items not equal to the given value

numberOptional
or
nullOptional
epss_score__gtany ofOptional

Filter on the epss_score field for items greater than the given value

numberOptional
or
nullOptional
epss_score__gteany ofOptional

Filter on the epss_score field for items greater than or equal to the given value

numberOptional
or
nullOptional
epss_score__ltany ofOptional

Filter on the epss_score field for items less than the given value

numberOptional
or
nullOptional
epss_score__lteany ofOptional

Filter on the epss_score field for items less than or equal to the given value

numberOptional
or
nullOptional
epss_score__isnullany ofOptional

Filter on the epss_score field for items that are NULL (true) or NOT NULL (false)

booleanOptional
or
nullOptional
epss_score__existsany ofOptional

Filter on the epss_score field for items that exist (true/false)

booleanOptional
or
nullOptional
epss_percentileany ofOptional

Filter on the epss_percentile field by exact match

numberOptional
or
nullOptional
epss_percentile__neqany ofOptional

Filter on the epss_percentile field for items not equal to the given value

numberOptional
or
nullOptional
epss_percentile__gtany ofOptional

Filter on the epss_percentile field for items greater than the given value

numberOptional
or
nullOptional
epss_percentile__gteany ofOptional

Filter on the epss_percentile field for items greater than or equal to the given value

numberOptional
or
nullOptional
epss_percentile__ltany ofOptional

Filter on the epss_percentile field for items less than the given value

numberOptional
or
nullOptional
epss_percentile__lteany ofOptional

Filter on the epss_percentile field for items less than or equal to the given value

numberOptional
or
nullOptional
epss_percentile__isnullany ofOptional

Filter on the epss_percentile field for items that are NULL (true) or NOT NULL (false)

booleanOptional
or
nullOptional
epss_percentile__existsany ofOptional

Filter on the epss_percentile field for items that exist (true/false)

booleanOptional
or
nullOptional
gen_cwe_idany ofOptional

Filter on the gen_cwe_id field by exact match

stringOptional
or
nullOptional
gen_cwe_id__neqany ofOptional

Filter on the gen_cwe_id field for items not equal to the given value

stringOptional
or
nullOptional
gen_cwe_id__inany ofOptional

Filter on the gen_cwe_id field for items that match any value in a comma-separated list

stringOptional
or
nullOptional
gen_cwe_id__not_inany ofOptional

Filter on the gen_cwe_id field for items that do not match any value in a comma-separated list

stringOptional
or
nullOptional
gen_cwe_id__likeany ofOptional

Filter on the gen_cwe_id field for items that match a SQL LIKE pattern (use % as wildcard, case-sensitive)

stringOptional
or
nullOptional
gen_cwe_id__ilikeany ofOptional

Filter on the gen_cwe_id field for items that match a SQL LIKE pattern (use % as wildcard, case-insensitive)

stringOptional
or
nullOptional
gen_cwe_id__isnullany ofOptional

Filter on the gen_cwe_id field for items that are NULL (true) or NOT NULL (false)

booleanOptional
or
nullOptional
gen_cwe_id__existsany ofOptional

Filter on the gen_cwe_id field for items that exist (true/false)

booleanOptional
or
nullOptional
published_atany ofOptional

Filter on the published_at field by exact match

string · date-timeOptional
or
nullOptional
published_at__neqany ofOptional

Filter on the published_at field for items not equal to the given value

string · date-timeOptional
or
nullOptional
published_at__ltany ofOptional

Filter on the published_at field for items less than the given value

string · date-timeOptional
or
nullOptional
published_at__lteany ofOptional

Filter on the published_at field for items less than or equal to the given value

string · date-timeOptional
or
nullOptional
published_at__gtany ofOptional

Filter on the published_at field for items greater than the given value

string · date-timeOptional
or
nullOptional
published_at__gteany ofOptional

Filter on the published_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
published_at__isnullany ofOptional

Filter on the published_at field for items that are NULL (true) or NOT NULL (false)

booleanOptional
or
nullOptional
published_at__existsany ofOptional

Filter on the published_at field for items that exist (true/false)

booleanOptional
or
nullOptional
exploits_countany ofOptional

Filter by exploits count

integerOptional
or
nullOptional
exploits_count__neqany ofOptional

Filter by exploits count (for items not equal to the given value)

integerOptional
or
nullOptional
exploits_count__gtany ofOptional

Filter by exploits count (for items greater than the given value)

integerOptional
or
nullOptional
exploits_count__gteany ofOptional

Filter by exploits count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
exploits_count__ltany ofOptional

Filter by exploits count (for items less than the given value)

integerOptional
or
nullOptional
exploits_count__lteany ofOptional

Filter by exploits count (for items less than or equal to the given value)

integerOptional
or
nullOptional
exploitations_countany ofOptional

Filter by exploitations count

integerOptional
or
nullOptional
exploitations_count__neqany ofOptional

Filter by exploitations count (for items not equal to the given value)

integerOptional
or
nullOptional
exploitations_count__gtany ofOptional

Filter by exploitations count (for items greater than the given value)

integerOptional
or
nullOptional
exploitations_count__gteany ofOptional

Filter by exploitations count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
exploitations_count__ltany ofOptional

Filter by exploitations count (for items less than the given value)

integerOptional
or
nullOptional
exploitations_count__lteany ofOptional

Filter by exploitations count (for items less than or equal to the given value)

integerOptional
or
nullOptional
detection_signatures_countany ofOptional

Filter by detection_signatures count

integerOptional
or
nullOptional
detection_signatures_count__neqany ofOptional

Filter by detection_signatures count (for items not equal to the given value)

integerOptional
or
nullOptional
detection_signatures_count__gtany ofOptional

Filter by detection_signatures count (for items greater than the given value)

integerOptional
or
nullOptional
detection_signatures_count__gteany ofOptional

Filter by detection_signatures count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
detection_signatures_count__ltany ofOptional

Filter by detection_signatures count (for items less than the given value)

integerOptional
or
nullOptional
detection_signatures_count__lteany ofOptional

Filter by detection_signatures count (for items less than or equal to the given value)

integerOptional
or
nullOptional
mentions_countany ofOptional

Filter by mentions count

integerOptional
or
nullOptional
mentions_count__neqany ofOptional

Filter by mentions count (for items not equal to the given value)

integerOptional
or
nullOptional
mentions_count__gtany ofOptional

Filter by mentions count (for items greater than the given value)

integerOptional
or
nullOptional
mentions_count__gteany ofOptional

Filter by mentions count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
mentions_count__ltany ofOptional

Filter by mentions count (for items less than the given value)

integerOptional
or
nullOptional
mentions_count__lteany ofOptional

Filter by mentions count (for items less than or equal to the given value)

integerOptional
or
nullOptional
weaknesses_countany ofOptional

Filter by weaknesses count

integerOptional
or
nullOptional
weaknesses_count__neqany ofOptional

Filter by weaknesses count (for items not equal to the given value)

integerOptional
or
nullOptional
weaknesses_count__gtany ofOptional

Filter by weaknesses count (for items greater than the given value)

integerOptional
or
nullOptional
weaknesses_count__gteany ofOptional

Filter by weaknesses count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
weaknesses_count__ltany ofOptional

Filter by weaknesses count (for items less than the given value)

integerOptional
or
nullOptional
weaknesses_count__lteany ofOptional

Filter by weaknesses count (for items less than or equal to the given value)

integerOptional
or
nullOptional
advisories_countany ofOptional

Filter by advisories count

integerOptional
or
nullOptional
advisories_count__neqany ofOptional

Filter by advisories count (for items not equal to the given value)

integerOptional
or
nullOptional
advisories_count__gtany ofOptional

Filter by advisories count (for items greater than the given value)

integerOptional
or
nullOptional
advisories_count__gteany ofOptional

Filter by advisories count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
advisories_count__ltany ofOptional

Filter by advisories count (for items less than the given value)

integerOptional
or
nullOptional
advisories_count__lteany ofOptional

Filter by advisories count (for items less than or equal to the given value)

integerOptional
or
nullOptional
malware_countany ofOptional

Filter by malware count

integerOptional
or
nullOptional
malware_count__neqany ofOptional

Filter by malware count (for items not equal to the given value)

integerOptional
or
nullOptional
malware_count__gtany ofOptional

Filter by malware count (for items greater than the given value)

integerOptional
or
nullOptional
malware_count__gteany ofOptional

Filter by malware count (for items greater than or equal to the given value)

integerOptional
or
nullOptional
malware_count__ltany ofOptional

Filter by malware count (for items less than the given value)

integerOptional
or
nullOptional
malware_count__lteany ofOptional

Filter by malware count (for items less than or equal to the given value)

integerOptional
or
nullOptional
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities

hashtag
Get User

get

Get the current authenticated user's information

Responses
chevron-right
200

Successful Response

application/json
get
/v1/user

hashtag
Single Technology Product Advisory Vulnerabilities

get
Path parameters
identifierstringRequired

The unique UUID of the technology product advisory to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by - cve_id, cvss_base_score, epss_score, or published_at

Default: epss_scorePattern: ^(cve_id|cvss_base_score|epss_score|published_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
typestringOptional

Output model type. Use 'basic' (default) for standard fields or 'detailed' for additional fields including relationships and extended metadata.

Default: basicPattern: ^(basic|detailed)$
Responses
chevron-right
200

Paginated list of vulnerabilities. Response schema depends on the type query parameter: 'basic' (default) or 'detailed'. Use type=detailed to get additional fields in the response.

application/json
Responseany of
or
get
/v1/technology_product_advisories/{identifier}/vulnerabilities
No content

hashtag
Single Technology Product Advisory Products

get
Path parameters
identifierstringRequired

The unique UUID of the technology product advisory to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by - name, vendor_name, or created_at

Default: namePattern: ^(name|vendor_name|created_at)$
orderstringOptional

Sort order

Default: ascPattern: ^(asc|desc)$
typestringOptional

Output model type. Use 'basic' (default) for standard fields or 'detailed' for additional fields including relationships and extended metadata.

Default: basicPattern: ^(basic|detailed)$
Responses
chevron-right
200

Paginated list of products. Response schema depends on the type query parameter: 'basic' (default) or 'detailed'. Use type=detailed to get additional fields in the response.

application/json
Responseany of
or
get
/v1/technology_product_advisories/{identifier}/products
No content

hashtag
Export Technology Product Advisory

get

Export complete advisory with all related data.

Returns the advisory entity along with all associated vulnerabilities and product configurations.

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique UUID of the technology product advisory to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/technology_product_advisories/{identifier}/export
No content

hashtag
Single Technology Product Advisory

get
Path parameters
identifierstringRequired

The unique UUID of the technology product advisory to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/technology_product_advisories/{identifier}

hashtag
Trending Diff Endpoint

get

Compare trending threat actors between two adjacent time periods.

"Trending" is defined as the top N entities by mention count, where N is controlled by the trending_limit parameter (default: 10).

Uses a sliding window approach where the current period ends at now, and the baseline period ends where the current period starts.

Returns items categorized as:

  • newly_trending: In top N current but not in top N baseline

  • no_longer_trending: In top N baseline but not in top N current

  • still_trending: In top N for both periods

Example with window=1d, trending_limit=20:

  • current_period: (now - 1 day) to now, top 20 by mentions

  • baseline_period: (now - 2 days) to (now - 1 day), top 20 by mentions

Query parameters
windowstringOptional

Time window for comparison. Format: '' where unit is 'd' (days) or 'h' (hours). Examples: '1d', '12h', '7d'. Maximum: 30d or 720h. Default: '1d'.

Default: 1dPattern: ^\d+[dh]$
trending_limitinteger · min: 1 · max: 100Optional

Maximum number of entities to consider as 'trending' per period. Only the top N entities by mention count are compared. Default: 10.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/actors/trending/diff

hashtag
Lookup Threat Actor

get
Path parameters
identifierstringRequired

The unique UUID or name of the threat actor to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/actors/{identifier}

hashtag
Single Threat Actor Attack Patterns

get

Get attack patterns (TTPs) used by a specific threat actor.

Returns MITRE ATT&CK techniques that have been associated with this threat actor through threat intelligence analysis.

Path parameters
identifierstringRequired

The unique UUID or name of the threat actor to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(name|mitre_attack_id|created_at|updated_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/actors/{identifier}/attack_patterns

hashtag
Export Threat Actor

get

Export complete threat actor profile with all related data.

Returns the threat actor data along with arrays of:

  • aliases: Known aliases for this threat actor

  • mentions: References in threat intelligence sources

  • observables: Associated IoCs (IP addresses, domains, hashes, URLs)

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique UUID or name of the threat actor to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/actors/{identifier}/export
No content

hashtag
Single Threat Actor Mentions

get
Path parameters
identifierstringRequired

The unique UUID or name of the threat actor to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|source)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'user_generated_content:true' or 'user_generated_content:false')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/actors/{identifier}/mentions

hashtag
References Index

get
Query parameters
filterstringOptional

A string used to filter references. Allowed filter terms:

  • source:: filter by source. (exact match - lowercase)
  • domain:: filter by domain. (case insensitive substring filter)
  • url:: filter by url. (case insensitive substring filter)
  • final_url:: filter by final_url. (case insensitive substring)
  • title:: filter the title for a string. (case insensitive substring filter)
  • topic:: filter the topic for a string. (case insensitive substring filter)
  • label:: filter by content chunk label (exact match)
  • embedding:: filter by content chunk embedding (semantic search)
  • last_http_status:: filter by last_http_status (exact match)
  • type:: filter by type. (exact match - converted to uppercase)
  • If no prefix is provided, the filter will be conducted on the url. Use published_at__gte and published_at__lt params for date filtering (half-open interval [start, end)).
sortstringOptional

Field to sort by - either created_at, updated_at, published_at, first_collected_at, or last_collected_at

Default: published_atPattern: ^(published_at|first_collected_at|last_collected_at|created_at|updated_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
labelsstring[]Optional

Filter by topic labels (e.g., malware, ransomware, vulnerability). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
format_labelsstring[]Optional

Filter by format labels (e.g., blog_post, news_article, research_paper). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
source_type_labelsstring[]Optional

Filter by source type labels (e.g., government_advisory, threat_intel_vendor). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
depth_labelsstring[]Optional

Filter by depth labels (e.g., technical_deep_dive). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
sourceany ofOptional

Filter on the source field by exact match

stringOptional
or
nullOptional
source__inany ofOptional

Filter on the source field for items that match any value in a comma-separated list

stringOptional
or
nullOptional
user_generated_contentany ofOptional

Filter on the user_generated_content field by exact match

booleanOptional
or
nullOptional
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
published_at__gteany ofOptional

Filter on the published_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
published_at__ltany ofOptional

Filter on the published_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/references

hashtag
Actor Mentions Index

get
Query parameters
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either created_at, updated_at, published_at, or collected_at

Default: published_atPattern: ^(created_at|updated_at|published_at|collected_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/mentions/actors

hashtag
Get Threat Actor Mentions

get
Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/{identifier}/threat-actor-mentions

hashtag
Get Opinion By Uuid

get

Get specific opinion by UUID.

Path parameters
uuidstringRequired

Opinion UUID

Responses
chevron-right
200

Successful Response

application/json
get
/v1/opinions/{uuid}

hashtag
Get Observable By Uuid

get

Get specific observable by UUID.

Path parameters
uuidstringRequired

Observable UUID

Responses
chevron-right
200

Successful Response

application/json
get
/v1/observables/{uuid}

hashtag
Get Industry By Code

get

Get a specific GICS industry by its 6-digit code.

Returns the industry with all its sub-industries. Returns 404 if the industry code does not exist.

Path parameters
codestringRequired
Responses
chevron-right
200

Successful Response

application/json
get
/v1/industries/{code}

hashtag
Get Latest Export Url

get

Get a signed URL for the latest export.

Query parameters
export_typestringOptional

Type of export to retrieve. Allowed: vuln_intel

Default: vuln_intel
export_strategystringOptional

Export strategy: full or incremental

Default: incremental
expires_ininteger · min: 300 · max: 86400Optional

Signed URL expiration time in seconds (300-86400)

Default: 86400
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exports/latest

hashtag
Opinions Index

get

List all opinions with filtering.

Query parameters
filterstringOptional

Filter using prefix syntax:

  • type:: filter by observable type prefix or exact match, case sensitive (e.g., type:ip or type:ip.v4)
  • name:: filter by observable name prefix or exact match, case sensitive
  • source:: filter by source (case insensitive)
  • uuid:: filter by UUID (prefix or exact match)
  • If no prefix is provided, searches across type, name, and source
sortstringOptional

Field to sort by

Default: uuidPattern: ^(uuid|created_at|published_at|observable_type|source)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1Optional

Maximum number of items to return

Default: 100
scopestringOptional

Scope filter to optionally limit the results to global or tenant data. The scope can be one of the following: - global: only global data

  • tenant: only tenant-specific data If no scope is provided, then both global and tenant data are returned.
Pattern: ^(global|tenant)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
published_at__gteany ofOptional

Filter on the published_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
published_at__ltany ofOptional

Filter on the published_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/opinions

hashtag
Mentions Index

get

Get all mentions, optionally filtered by entity type. Supports pagination, sorting, and filtering.

Query parameters
entity_typeany ofOptional

Filter by entity type (e.g., organization, threat_actor, vulnerability, malware, technology_product)

stringOptional
or
nullOptional
offsetintegerOptional

Number of items to skip before starting to collect results

Default: 0
limitinteger · min: 1Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|collected_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/mentions

hashtag
Exploits Index

get

Endpoint to browse exploits, with filters on some criteria.

Query parameters
filterstringOptional

A string used to filter exploits. It can start with specific prefixes to indicate the type of filter:

  • uuid:: Filter by UUID.
  • url:: Filter by url.
  • authors:: Filter by authors.
  • maturity:: Filter by maturity.
  • If the filter string matches a UUID pattern, it will be treated as a specific filter.
  • If no prefix is provided, it defaults to a url filter.
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
sortstringOptional

Field to sort by - one of: url, authors, maturity, disclosed_at, created_at, or updated_at

Default: created_atPattern: ^(url|authors|maturity|disclosed_at|created_at|updated_at|enriched_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exploits

hashtag
Similar Stories

get

Find stories similar to the specified story.

Uses the story's embedding vector to find other stories with similar content using inner product similarity. Results are ordered by similarity (most similar first).

Date filters use created_at__gte/lt and updated_at__gte/lt query parameters.

Returns an empty list if the story doesn't have an embedding vector.

Path parameters
identifierstringRequired

The unique UUID of the story

Query parameters
thresholdnumber · min: -1 · max: 1Optional

Similarity threshold (higher values are more similar, range: -1 to 1)

Default: 0.6
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1 · max: 100Optional

The maximum number of items to return.

Default: 10
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories/{identifier}/similar

hashtag
Stories Index

get

Get paginated list of stories.

Stories are collections of related references that have been clustered together based on content similarity and temporal proximity.

Date filtering is handled by the StoryFilter via TimestampFilterMixin, using parameters like created_at__gte, created_at__lt, updated_at__gte, updated_at__lt.

Query parameters
filterstringOptional

A string used to filter stories. Allowed filter terms:

  • title:: filter by title (case insensitive substring)
  • description:: filter by description (case insensitive substring)
  • min_refs:: filter by minimum reference count (e.g., min_refs:5)
  • max_refs:: filter by maximum reference count (e.g., max_refs:10)
  • topic:: filter by topic labels (comma-separated, OR logic, e.g., topic:ransomware,malware)
  • If no prefix is provided, the filter will search in the title.
topicsstring[]Optional

Filter by topic labels. Pass multiple values for OR logic (e.g., topics=ransomware&topics=malware). This is an alternative to using filter=topic:....

Default: []
sortstringOptional

Field to sort by - either created_at, updated_at, title, or reference_count

Default: created_atPattern: ^(created_at|updated_at|title|reference_count)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1 · max: 1000Optional

The maximum number of items to return.

Default: 100
followed_entitiesbooleanOptional

When true, returns only stories that mention entities the tenant is following

Default: false
followed_topicsbooleanOptionalDefault: false
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories

hashtag
Sources Index

get

Retrieve a list of all source configurations with reference counts.

Query parameters
filterstringOptional

A string used to filter sources. Allowed filter terms:

  • type:: filter by reference type. Valid values: UNSTRUCTURED, STRUCTURED, SYNTHETIC, STRUCTURED_SOCIAL (case insensitive)
  • slug:: filter by slug. (case insensitive substring filter)
  • If no prefix is provided, the filter will be conducted on the slug.
Responses
chevron-right
200

Successful Response

application/json
get
/v1/sources

hashtag
Product Index

get

Endpoint to browse for products.

Query parameters
filterstringOptional

A string used to filter products. It can start with specific prefixes to indicate the type of filter:

  • name:: Filter by Name.
  • internal_name:: Filter by internal_name (exact match).
  • desc:: Filter by description (searches both description and gen_description fields).
  • If no prefix is provided, it defaults to a name filter.
Default: ""
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either name, created_at, updated_at, enriched_at, trending_1d, trending_7d, or trending_30d

Default: created_atPattern: ^(name|created_at|updated_at|enriched_at|trending_1d|trending_7d|trending_30d)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
include_mergedbooleanOptional

Include entities that have been merged into other entities

Default: false
followedbooleanOptional

When true, returns only products that the tenant is following

Default: false
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/products

hashtag
Malware Index

get

Endpoint to browse for malware, with filters on some criteria.

Query parameters
filterstringOptional

A string used to filter malware. It can start with specific prefixes to indicate the type of filter:

  • name:: Filter by Name.
  • uuid:: Filter by UUID.
  • internal_name:: Filter by internal_name (exact match).
  • desc:: Filter by description (searches both description and gen_description fields).
  • If no prefix is provided, it defaults to a name filter.
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
sortstringOptional

Field to sort by - either name, created_at, updated_at, enriched_at, trending_1d, trending_7d, or trending_30d

Default: created_atPattern: ^(name|created_at|updated_at|enriched_at|trending_1d|trending_7d|trending_30d)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
include_mergedbooleanOptional

Include entities that have been merged into other entities

Default: false
followedbooleanOptional

When true, returns only malware that the tenant is following

Default: false
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware

hashtag
Exploit Vulnerabilities

get

Get vulnerabilities associated with a specific exploit with pagination and filtering.

Path parameters
identifierstringRequired

The unique UUID of the exploit

Query parameters
filterstringOptional

A string used to filter vulnerabilities. It can start with specific prefixes to indicate the type of filter:

  • cve:: Filter by CVE ID.
  • desc:: Filter by description.
  • If the filter string matches the pattern CVE-, it will be treated as a CVE filter.
  • If no prefix is provided, it defaults to searching both CVE ID and description.
Default: ""
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by: cve_id, created_at, updated_at, cvss_base_score, or epss_score

Default: cve_idPattern: ^(cve_id|created_at|updated_at|cvss_base_score|epss_score)$
orderstringOptional

Sort order - either asc or desc

Default: ascPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exploits/{identifier}/vulnerabilities

hashtag
Lookup Weakness

get

Endpoint to lookup a weakness by its unique identifier. Can use either CWE-ID (e.g., CWE-79) or UUID.

Path parameters
identifierstringRequired

The unique identifier of the weakness to retrieve (CWE-ID or UUID)

Responses
chevron-right
200

Successful Response

application/json
get
/v1/weaknesses/{identifier}

hashtag
Export Story

get

Export complete story intelligence with all related entities.

Returns the story data along with:

  • references: All references associated with the story

  • content_chunks: Content chunk metadata for each reference

  • analysis_object: Full analysis with synopsis, facts, entities (if include_analysis=true)

  • topic_labels: Story topic classifications with similarity scores

  • focus_entities: Key entities (vulnerabilities, threat actors, etc.) in the story

This endpoint provides a comprehensive export suitable for integration with external systems, data pipelines, or archival purposes.

Path parameters
identifierstringRequired

The unique UUID of the story to export

Query parameters
include_analysisbooleanOptional

Include analysis objects for content chunks

Default: true
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/stories/{identifier}/export
No content

hashtag
Update Story

patch

Update a story's title and/or description (admin only).

  • identifier: The unique UUID of the story to update.

  • title: Optional new title (max 500 characters).

  • description: Optional new description.

Returns the updated story. If no fields are provided, returns the story unchanged.

Path parameters
identifierstringRequired

The unique UUID of the story to update

Body

Request schema for updating a story.

titleany ofOptional

New title for the story

string · max: 500Optional
or
nullOptional
descriptionany ofOptional

New description for the story

stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/stories/{identifier}

hashtag
Delete Story

delete

Permanently delete a story (admin only).

This will cascade delete:

  • Story references (associations to references)

  • Story events

  • Focus entities

  • Topic labels

The underlying references are NOT deleted, only the story and its associations.

Use with caution - this operation cannot be undone.

Path parameters
identifierstringRequired

The unique UUID of the story to delete

Responses
delete
/v1/stories/{identifier}
No content

hashtag
Single Story

get

Retrieve a story by its UUID.

  • identifier: The unique UUID of the story to retrieve.

  • include_merged: Set to true to include merged stories (default: false).

This endpoint returns the story object associated with the given UUID. If no story is found, a 404 error is returned.

Path parameters
identifierstringRequired

The unique UUID of the story to retrieve

Query parameters
include_mergedbooleanOptional

Include stories that have been merged into other stories

Default: false
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories/{identifier}

hashtag
Update Schedule

patch

Update an existing schedule.

Path parameters
schedule_uuidstring · uuidRequired
Body
nameany ofOptional
stringOptional
or
nullOptional
schedule_cron_stringany ofOptional
stringOptional
or
nullOptional
promptany ofOptional
stringOptional
or
nullOptional
statusany ofOptional
stringOptional
or
nullOptional
integration_uuidany ofOptional
string · uuidOptional
or
nullOptional
timezoneany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/schedules/{schedule_uuid}

hashtag
Delete Schedule

delete

Delete a schedule.

Path parameters
schedule_uuidstring · uuidRequired
Responses
delete
/v1/schedules/{schedule_uuid}
No content

hashtag
Create Schedule

post

Create a new schedule.

Body
thread_uuidany ofOptional
string · uuidOptional
or
nullOptional
namestringRequired

Name of the schedule

schedule_cron_stringany ofOptional

Cron expression for scheduling (e.g., '0 9 * * *' for daily at 9am)

stringOptional
or
nullOptional
promptstringRequired

The prompt for the schedule

statusstringOptional

Status of the schedule, one of: active, paused

Default: active
integration_uuidany ofOptional

UUID of the Slack integration to use for notifications

string · uuidOptional
or
nullOptional
timezonestringOptional

IANA timezone identifier (e.g., 'America/New_York', 'Europe/London')

Default: UTC
Responses
post
/v1/schedules

hashtag
Lookup Reference

get

Retrieve a reference by its identifier.

  • identifier: The unique hash of the URL or UUID to retrieve the reference for.

This endpoint returns the reference object associated with the given URL hash. If no reference is found, a 404 error is returned.

Note: The extracted_content field in content chunks is only returned for admin users. Non-admin users will receive the analysis results without the raw extracted content.

Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/{identifier}

hashtag
Create References

post

Create new references from a list of URLs.

  • urls: An array of URLs to ingest as references.

  • submitter: Optional string identifying the source of the submission. If not provided, defaults to "API".

This endpoint creates new references from the provided URLs. If any reference already exists, returns the existing reference for that URL. Returns an array of created/existing references.

Body

Request model for creating references from URLs.

urlsstring[]Required
submitterany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
post
/v1/references

hashtag
Export Product

get

Export complete product with all related data.

Returns the product entity along with its organization, advisories, and mentions.

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique UUID of the technology product to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/products/{identifier}/export
No content

hashtag
Lookup Product

get
Path parameters
identifierstringRequired

The unique UUID of the technology product to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/products/{identifier}

hashtag
Search Products

post

Endpoint to search for products based on search criteria.

Query parameters
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either name, created_at or updated_at

Default: created_atPattern: ^(name|created_at|updated_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
Body

The search criteria for products

search_typestringOptional

The type of search to perform. Options are: 'standard', 'did_you_mean'. Defaults to 'standard'.

Default: standardExample: standard
cpeany ofOptional

Common Platform Enumeration (CPE) 2.3 string. Overrides type, vendor, and product if provided.

Default: nullExample: cpe:2.3:a:vendor:product:1.0:*:*:*:*:*:*:*
stringOptional
or
nullOptional
typeany ofOptional

The type of the product (e.g., application, operating system). Defaults to 'application'.

Default: applicationExample: application
stringOptional
or
nullOptional
vendorany ofOptional

The vendor of the product.

Default: nullExample: ExampleVendor
stringOptional
or
nullOptional
productany ofOptional

The name of the product.

Default: nullExample: ExampleProduct
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
post
/v1/products/search

hashtag
Export Organization

get

Export complete organization with all related data.

Returns the organization entity along with its products, mentions, and aliases.

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique UUID or name of the organization to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/organizations/{identifier}/export
No content

hashtag
Lookup Organization

get
Path parameters
identifierstringRequired

The unique UUID or name of the organization to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/organizations/{identifier}

hashtag
Update Opinion

patch

Update an opinion. Observable type and name cannot be changed.

Path parameters
uuidstringRequired

Opinion UUID

Body
verdictany ofOptional
stringOptional
or
nullOptional
confidenceany ofOptional
stringOptional
or
nullOptional
sourceany ofOptional
stringOptional
or
nullOptional
descriptionany ofOptional
stringOptional
or
nullOptional
attributesany ofOptional
or
nullOptional
urlany ofOptional
stringOptional
or
nullOptional
published_atany ofOptional
string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/opinions/{uuid}

hashtag
Delete Opinion

delete

Delete an opinion.

Path parameters
uuidstringRequired

Opinion UUID

Responses
chevron-right
200

Successful Response

application/json
Responseany
delete
/v1/opinions/{uuid}
No content

hashtag
Create Opinion

post

Create a new opinion. If the referenced observable doesn't exist, it will be created.

Body
observable_typestringRequired
observable_namestringRequired
verdictstringRequired
sourcestringRequired
confidenceany ofOptional
stringOptional
or
nullOptional
descriptionany ofOptional
stringOptional
or
nullOptional
attributesany ofOptional
or
nullOptional
urlany ofOptional
stringOptional
or
nullOptional
published_atstring · date-timeRequired
Responses
post
/v1/opinions

hashtag
Update Observable

patch

Update an observable. Only description and attributes can be updated.

Path parameters
uuidstringRequired

Observable UUID

Body
descriptionany ofOptional
stringOptional
or
nullOptional
attributesany ofOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/observables/{uuid}

hashtag
Delete Observable

delete

Delete an observable.

Path parameters
uuidstringRequired

Observable UUID

Responses
chevron-right
200

Successful Response

application/json
Responseany
delete
/v1/observables/{uuid}
No content

hashtag
Create Observable

post

Create a new observable.

Body
typestringRequired
namestringRequired
descriptionany ofOptional
stringOptional
or
nullOptional
attributesany ofOptional
or
nullOptional
Responses
post
/v1/observables

hashtag
Export Malware

get

Export complete malware with all related data.

Returns the malware entity along with all associated aliases, vulnerabilities, and mentions.

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique UUID or name of the malware to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/malware/{identifier}/export
No content

hashtag
Lookup Malware

get
Path parameters
identifierstringRequired

The unique UUID or name of the malware to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware/{identifier}

hashtag
Update Integration

patch

Update an existing integration.

If sensitive_data is provided, it will be validated against the type-specific schema and re-encrypted. Sensitive data is never included in responses.

Path parameters
integration_uuidstring · uuidRequired
Body

Schema for updating an existing integration.

nameany ofOptional
string · min: 1 · max: 255Optional
or
nullOptional
sensitive_dataany ofOptional

Sensitive credentials (will be encrypted)

or
nullOptional
configurationany ofOptional

Non-sensitive configuration

or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/integrations/{integration_uuid}

hashtag
Delete Integration

delete

Delete an integration.

Only allows deletion of integrations belonging to the current tenant.

By default, if the integration is used by schedules, returns HTTP 409 Conflict with the list of affected schedules without deleting. Set force=true to proceed with deletion.

When force=true, the integration_uuid will be cleared from all associated schedules before deletion.

Returns: - 200: Integration deleted successfully - 404: Integration not found - 409: Integration is in use by schedules (requires force=true)

Path parameters
integration_uuidstring · uuidRequired
Query parameters
forcebooleanOptional

Force deletion even if schedules are using this integration

Default: false
Responses
chevron-right
200

Successful Response

application/json
Responseany
delete
/v1/integrations/{integration_uuid}
No content

hashtag
Create Integration

post

Create a new integration for the current tenant.

Sensitive data is encrypted before storage and never returned in responses. The request body is validated against type-specific schemas based on the 'type' field.

Body
Responses
post
/v1/integrations

hashtag
Export Exploit

get

Export complete exploit with all related data.

Returns the exploit entity along with all associated vulnerabilities.

Use the optional timestamp parameters to filter related entities by their creation date. This is useful for incremental exports.

Path parameters
identifierstringRequired

The unique UUID of the exploit to export

Query parameters
relationships_created_afterany ofOptional

Filter related objects to only include those created after this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
relationships_created_beforeany ofOptional

Filter related objects to only include those created before this ISO8601/RFC3339 timestamp

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/exploits/{identifier}/export
No content

hashtag
Lookup Exploit

get
Path parameters
identifierstringRequired

The unique UUID of the exploit to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/exploits/{identifier}

hashtag
Lookup Exploitation

get
Path parameters
identifierstringRequired

The unique UUID of the exploitation to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/exploitations/{identifier}

hashtag
Get By Configuration

get

Get all vulnerable configuration sets for a specific technology product configuration.

Path parameters
configuration_uuidstring · uuidRequired

The technology product configuration UUID to retrieve vulnerable sets for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerable_technology_product_configuration_sets/by-configuration/{configuration_uuid}

hashtag
Get Schedule Executions

get

Get execution history for a schedule.

Path parameters
schedule_uuidstring · uuidRequired
Query parameters
limitinteger · min: 1 · max: 500Optional

Maximum number of executions to return

Default: 100
offsetintegerOptional

Number of executions to skip

Default: 0
Responses
chevron-right
200

Successful Response

application/json
get
/v1/schedules/{schedule_uuid}/executions

hashtag
Get Vulnerability Mentions

get
Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/{identifier}/vulnerability-mentions

hashtag
Get Threat Actors

get

Retrieve threat actors associated with a reference.

  • identifier: The unique hash of the URL or UUID to retrieve the reference for.

Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/{identifier}/threat-actors

hashtag
Get Reference Entities

get

Retrieve all entities associated with a reference, grouped by type.

  • identifier: The unique hash of the URL or UUID to retrieve the reference for.

Returns all threat actors, vulnerabilities, malware, organizations, products, and vendors mentioned in this reference.

Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/{identifier}/entities

hashtag
Get Content Labels

get

Get available content labels for filtering references.

Returns all configured content labels with their display names, descriptions, and categories. Use these label keys with the labels query parameter when filtering references.

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/labels

hashtag
Get Grouped Opinions

get

Get opinions grouped by observable (observable_type, observable_name). Pagination is applied at the grouped observable level, so limit=10 returns 10 distinct observables, each with all their matching opinions.

Query parameters
typeany ofOptional

Filter by observable type (e.g., ip.v4, domain)

stringOptional
or
nullOptional
verdictany ofOptional

Comma-separated list of verdicts to filter by (e.g., malicious,suspicious)

stringOptional
or
nullOptional
sourceany ofOptional

Comma-separated list of sources to filter by (exact match)

stringOptional
or
nullOptional
observable_nameany ofOptional

Filter by observable name (case-insensitive contains search). Use this to search for specific IPs, domains, hashes, etc.

stringOptional
or
nullOptional
sortstringOptional

Field to sort by

Default: published_atPattern: ^(observable_name|observable_type|published_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

Number of grouped observables to skip

Default: 0
limitinteger · min: 1 · max: 200Optional

Maximum number of grouped observables to return

Default: 50
scopeany ofOptional

Scope filter to optionally limit the results to global or tenant data. If no scope is provided, then both global and tenant data are returned.

stringOptionalPattern: ^(global|tenant)$
or
nullOptional
published_at__gteany ofOptional

Filter on the published_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
published_at__ltany ofOptional

Filter on the published_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/opinions/grouped
No content

hashtag
Get Integration Schemas

get

Get JSON schemas for all registered integration types.

Returns schemas for credentials, configuration, and action payloads for each type, along with the type's supported capabilities.

Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/integrations/meta/schemas
200

Successful Response

No content

hashtag
Get Integration Capabilities

get

Get available capabilities for all registered integration types.

Returns a mapping of integration type to list of supported actions.

Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/integrations/meta/capabilities
200

Successful Response

No content

hashtag
Get Gics Codes

get

Get the GICS (Global Industry Classification Standard) hierarchy.

Returns the complete GICS hierarchy organized as: Sectors -> Industry Groups -> Industries -> Sub-Industries.

Use this data for industry selection in tenant configuration or filtering by industry classification.

Responses
chevron-right
200

Successful Response

application/json
get
/v1/industries

hashtag
Get Export History

get

Get export history

Query parameters
export_typestringOptional

Type of export to retrieve. Allowed: vuln_intel

Default: vuln_intel
export_strategyany ofOptional

Filter by export strategy

stringOptional
or
nullOptional
limitinteger · min: 1 · max: 100Optional

Number of exports to return

Default: 10
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exports/history

hashtag
Get Latest Dashboard

get
Path parameters
report_typeconst: current-eventsRequired
Responses
chevron-right
200

Successful Response

application/json
get
/v1/dashboards/{report_type}/latest

hashtag
Story References

get

Get references associated with a specific story with pagination and sorting.

Returns a list of references that have been clustered into this story.

Path parameters
identifierstringRequired

The unique UUID of the story

Query parameters
sortstringOptional

Field to sort by - either published_at, created_at, updated_at, title, or source_slug

Default: published_atPattern: ^(published_at|created_at|updated_at|title|source_slug)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1 · max: 1000Optional

The maximum number of items to return.

Default: 100
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories/{identifier}/references

hashtag
Story Events

get

Get timeline events for a specific story with pagination and sorting.

Returns a chronological list of events that have occurred for this story, such as creation and reference assignments. Events are sorted by created_at.

Path parameters
identifierstringRequired

The unique UUID of the story

Query parameters
filterstringOptional

Filter parameter (e.g., 'event_type:story_created', 'event_type:reference_assigned')

orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1 · max: 1000Optional

The maximum number of items to return.

Default: 100
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories/{identifier}/events

hashtag
Story Entities

get

Get focus entities for a specific story with saliency scores.

Returns entities that are central to the story, grouped by entity type. Each entity includes its saliency score indicating how important it is to the story. Saliency score is calculated as the inner product similarity between entity mention contexts and story embedding.

Results are grouped by type (vulnerabilities, threat_actors, malware, technology_vendors, technology_products, organizations) and sorted by saliency score (highest first) within each group.

Path parameters
identifierstringRequired

The unique UUID of the story

Query parameters
thresholdnumber · max: 1Optional

Minimum saliency score threshold (range: 0 to 1)

Default: 0.5
entity_typeany ofOptional

Filter by entity type: vulnerability, threat_actor, malware, technology_product, or organization

stringOptionalPattern: ^(vulnerability|threat_actor|malware|technology_product|organization)$
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories/{identifier}/entities

hashtag
Story Topics

get

Get all unique topic labels across stories with their story counts.

Returns a list of topic labels with story counts and latest story timestamps. Supports filtering by story count and timestamp, and sorting by either field. This endpoint is useful for building topic filter UIs and onboarding flows.

Query parameters
sortstringOptional

Field to sort by

Default: story_countPattern: ^(story_count|latest_story_timestamp)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
story_count__gtany ofOptional

Filter topics with story count greater than this value

integerOptional
or
nullOptional
story_count__gteany ofOptional

Filter topics with story count greater than or equal to this value

integerOptional
or
nullOptional
story_count__ltany ofOptional

Filter topics with story count less than this value

integerOptional
or
nullOptional
story_count__lteany ofOptional

Filter topics with story count less than or equal to this value

integerOptional
or
nullOptional
latest_story_timestamp__gtany ofOptional

Filter topics with latest story timestamp greater than this ISO8601 date

stringOptional
or
nullOptional
latest_story_timestamp__gteany ofOptional

Filter topics with latest story timestamp greater than or equal to this ISO8601 date

stringOptional
or
nullOptional
latest_story_timestamp__ltany ofOptional

Filter topics with latest story timestamp less than this ISO8601 date

stringOptional
or
nullOptional
latest_story_timestamp__lteany ofOptional

Filter topics with latest story timestamp less than or equal to this ISO8601 date

stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/stories/topics

hashtag
List Schedules

get

List schedules with optional filtering.

Query parameters
filterany ofOptional

Case-insensitive search on the prompt field

stringOptional
or
nullOptional
statusany ofOptional

Filter by status, one of: active, paused

stringOptional
or
nullOptional
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/schedules

hashtag
List Integrations

get

List all integrations for the current tenant.

Sensitive data is never included in responses.

Query Parameters: filter: Optional filter string - "type:slack" - filter by exact type match - "name:foo" - filter by name containing "foo" (case-insensitive) - "foo" - same as "name:foo" offset: Number of items to skip (default: 0) limit: Maximum number of items to return (default: 500, max: 500)

Query parameters
filterany ofOptional

Filter by name or type. Use 'type:value' for type filter, 'name:value' or plain text for name filter (case-insensitive)

stringOptional
or
nullOptional
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 500
Responses
chevron-right
200

Successful Response

application/json
get
/v1/integrations

hashtag
List Exports

get

Base exports endpoint. Returns export history and mirrors /history.

Query parameters
export_typestringOptional

Type of export to retrieve. Allowed: vuln_intel

Default: vuln_intel
export_strategyany ofOptional

Filter by export strategy

stringOptional
or
nullOptional
limitinteger · min: 1 · max: 100Optional

Number of exports to return

Default: 10
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exports

hashtag
Get Schedule

get

Get a specific schedule by UUID.

Path parameters
schedule_uuidstring · uuidRequired
Responses
chevron-right
200

Successful Response

application/json
get
/v1/schedules/{schedule_uuid}

hashtag
Get Vulnerabilities

get

Retrieve vulnerabilities associated with a reference.

  • identifier: The unique hash of the URL or UUID to retrieve the reference for.

Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/references/{identifier}/vulnerabilities

hashtag
Get Integration

get

Get a specific integration by UUID.

Only returns integrations belonging to the current tenant. Sensitive data is never included in responses.

Path parameters
integration_uuidstring · uuidRequired
Responses
chevron-right
200

Successful Response

application/json
get
/v1/integrations/{integration_uuid}

hashtag
Get Report

get
Path parameters
report_uuidstring · uuidRequired
Responses
chevron-right
200

Successful Response

application/json
get
/v1/dashboards/{report_uuid}

hashtag
Vulnerable Technology Product Configuration Set Index

get

Endpoint to browse vulnerable technology product configuration sets based on various criteria.

Query parameters
filterstringOptional

A string used to filter configuration sets. It can start with specific prefixes to indicate the type of filter:

  • set_id:: Filter by set_id.
  • vulnerability_uuid:: Filter by vulnerability_uuid.
  • configuration_uuid:: Filter by technology_product_configuration_uuid.
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either set_id, created_at or updated_at

Default: created_atPattern: ^(set_id|created_at|updated_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerable_technology_product_configuration_sets

hashtag
Technology Product Advisories Index

get
Query parameters
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either created_at, updated_at, source, or name

Default: created_atPattern: ^(created_at|updated_at|source|name)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/technology_product_advisories

hashtag
Vulnerability Mentions Index

get
Query parameters
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either created_at, updated_at, published_at, or collected_at

Default: published_atPattern: ^(created_at|updated_at|published_at|collected_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/mentions/vulnerabilities

hashtag
Single Vulnerability Used By Malware

get

Get malware that exploits a specific vulnerability.

Returns malware that have been associated with this vulnerability through threat intelligence sources.

Path parameters
identifierstringRequired

The unique CVE ID or UUID of the vulnerability to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(name|created_at|updated_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/vulnerabilities/{identifier}/used_by_malware

hashtag
Single Product Technology Product Advisories

get
Path parameters
identifierstringRequired

The unique UUID of the technology product to retrieve

Responses
chevron-right
200

Successful Response

application/json
Responseany
get
/v1/products/{identifier}/technology_product_advisories
No content

hashtag
Single Attack Pattern Threat Actors

get

Get threat actors that use this attack pattern (TTP).

Returns threat actors that have been associated with this technique through threat intelligence analysis.

Path parameters
identifierstringRequired

The unique UUID, MITRE ATT&CK ID, or name of the attack pattern

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(name|created_at|updated_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/attack_patterns/{identifier}/threat_actors

hashtag
Vulnerabilities Dashboard

get

Get trending vulnerabilities for 1 day, 7 day, and 30 day periods. Returns live data based on mention counts rather than compiled reports.

Query parameters
limitinteger · min: 1 · max: 100Optional

Maximum number of vulnerabilities per trending group

Default: 24
Responses
chevron-right
200

Successful Response

application/json
get
/v1/dashboards/vulnerabilities

hashtag
Detection Signature Index

get

Endpoint to browse for detection signatures, with filters on some criteria.

Query parameters
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either name, created_at or updated_at

Default: created_atPattern: ^(name|created_at|updated_at|enriched_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/detection_signatures

hashtag
Single Malware Attack Patterns

get

Get attack patterns (TTPs) used by a specific malware.

Returns MITRE ATT&CK techniques that have been associated with this malware through threat intelligence analysis.

Path parameters
identifierstringRequired

The unique UUID or name of the malware to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(name|mitre_attack_id|created_at|updated_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware/{identifier}/attack_patterns

hashtag
Single Attack Pattern Mentions

get

Get mentions for a specific attack pattern.

Path parameters
identifierstringRequired

The unique UUID, MITRE ATT&CK ID, or name of the attack pattern

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|source)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'user_generated_content:true' or 'user_generated_content:false')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/attack_patterns/{identifier}/mentions

hashtag
Single Attack Pattern Malware

get

Get malware that uses this attack pattern (TTP).

Returns malware that have been associated with this technique through threat intelligence analysis.

Path parameters
identifierstringRequired

The unique UUID, MITRE ATT&CK ID, or name of the attack pattern

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(name|created_at|updated_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/attack_patterns/{identifier}/malware

hashtag
Single Threat Actor Observables

get

Get observables (IoCs) linked to a specific threat actor.

Returns indicators of compromise such as IP addresses, domains, hashes, and URLs that have been associated with this threat actor.

Path parameters
identifierstringRequired

The unique UUID or name of the threat actor to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(type|name|created_at|published_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'type:ip.v4', 'type:domain', 'type:hash.sha256')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/actors/{identifier}/observables

hashtag
Organizations Index

get

Endpoint to browse for organizations, with filters on some criteria.

Query parameters
filterstringOptional

A string used to filter organizations. It can start with specific prefixes to indicate the type of filter:

  • name:: Filter by Name, case-insensitive.
  • uuid:: Filter by UUID, case-insensitive.
  • internal_name:: Filter by internal_name (exact match).
  • desc:: Filter by description (searches both description and gen_description fields). If no prefix is provided, it defaults to filtering on the display_name or name fields. Examples:
  • name:Microsoft
  • name:apple
  • internal_name:microsoft_corporation
  • Microsoft Corporation
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
sortstringOptional

Field to sort by - either name, created_at, updated_at, enriched_at, trending_1d, trending_7d, or trending_30d

Default: created_atPattern: ^(name|created_at|updated_at|enriched_at|trending_1d|trending_7d|trending_30d)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
include_mergedbooleanOptional

Include entities that have been merged into other entities

Default: false
followedbooleanOptional

When true, returns only organizations that the tenant is following

Default: false
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/organizations

hashtag
Exploitations Index

get

Endpoint to browse for exploitations.

Query parameters
filterstringOptional

Filter the exploitations by vulnerability_uuid, cve_id, source, begins_at, or ends_at. It can start with specific prefixes to indicate the type of filter:

  • vulnerability_uuid:: Filter by vulnerability UUID.
  • cve_id:: Filter by CVE ID.
  • source:: Filter by source.
  • begins_at{operator}: Filter by begins_at. Allowed operators are: <, <=, =, >=, > (e.g. begins_at>2025-11-01)
  • ends_at{operator}: Filter by ends_at. Allowed operators are: <, <=, =, >=, > (e.g. ends_at<2025-11-01)
  • If no prefix is provided, it defaults to filtering on the vulnerability_uuid, cve_id, and source fields.
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
sortstringOptional

Field to sort by - either count, created_at, updated_at, enriched_at, begins_at or ends_at

Default: created_atPattern: ^(count|created_at|updated_at|enriched_at|begins_at|ends_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exploitations

hashtag
Trending Diff Endpoint

get

Compare trending products between two adjacent time periods.

"Trending" is defined as the top N entities by mention count, where N is controlled by the trending_limit parameter (default: 10).

Uses a sliding window approach where the current period ends at now, and the baseline period ends where the current period starts.

Returns items categorized as:

  • newly_trending: In top N current but not in top N baseline

  • no_longer_trending: In top N baseline but not in top N current

  • still_trending: In top N for both periods

Example with window=1d, trending_limit=20:

  • current_period: (now - 1 day) to now, top 20 by mentions

  • baseline_period: (now - 2 days) to (now - 1 day), top 20 by mentions

Query parameters
windowstringOptional

Time window for comparison. Format: '' where unit is 'd' (days) or 'h' (hours). Examples: '1d', '12h', '7d'. Maximum: 30d or 720h. Default: '1d'.

Default: 1dPattern: ^\d+[dh]$
trending_limitinteger · min: 1 · max: 100Optional

Maximum number of entities to consider as 'trending' per period. Only the top N entities by mention count are compared. Default: 10.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/products/trending/diff

hashtag
Trending Diff Endpoint

get

Compare trending organizations between two adjacent time periods.

"Trending" is defined as the top N entities by mention count, where N is controlled by the trending_limit parameter (default: 10).

Uses a sliding window approach where the current period ends at now, and the baseline period ends where the current period starts.

Returns items categorized as:

  • newly_trending: In top N current but not in top N baseline

  • no_longer_trending: In top N baseline but not in top N current

  • still_trending: In top N for both periods

Example with window=1d, trending_limit=20:

  • current_period: (now - 1 day) to now, top 20 by mentions

  • baseline_period: (now - 2 days) to (now - 1 day), top 20 by mentions

Query parameters
windowstringOptional

Time window for comparison. Format: '' where unit is 'd' (days) or 'h' (hours). Examples: '1d', '12h', '7d'. Maximum: 30d or 720h. Default: '1d'.

Default: 1dPattern: ^\d+[dh]$
trending_limitinteger · min: 1 · max: 100Optional

Maximum number of entities to consider as 'trending' per period. Only the top N entities by mention count are compared. Default: 10.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/organizations/trending/diff

hashtag
Trending Diff Endpoint

get

Compare trending malware between two adjacent time periods.

"Trending" is defined as the top N entities by mention count, where N is controlled by the trending_limit parameter (default: 10).

Uses a sliding window approach where the current period ends at now, and the baseline period ends where the current period starts.

Returns items categorized as:

  • newly_trending: In top N current but not in top N baseline

  • no_longer_trending: In top N baseline but not in top N current

  • still_trending: In top N for both periods

Example with window=1d, trending_limit=20:

  • current_period: (now - 1 day) to now, top 20 by mentions

  • baseline_period: (now - 2 days) to (now - 1 day), top 20 by mentions

Query parameters
windowstringOptional

Time window for comparison. Format: '' where unit is 'd' (days) or 'h' (hours). Examples: '1d', '12h', '7d'. Maximum: 30d or 720h. Default: '1d'.

Default: 1dPattern: ^\d+[dh]$
trending_limitinteger · min: 1 · max: 100Optional

Maximum number of entities to consider as 'trending' per period. Only the top N entities by mention count are compared. Default: 10.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware/trending/diff

hashtag
Followed Topics Index

get

List all followed topics for the current tenant.

Query parameters
filterstringOptional

Filter using prefix syntax:

  • topic:: filter by topic prefix (e.g., topic:ransom)
  • uuid:: filter by UUID prefix
sortstringOptional

Field to sort by

Default: created_atPattern: ^(uuid|created_at|updated_at|topic)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1Optional

Maximum number of items to return

Default: 50
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/followed_topics

hashtag
Followed Entities Index

get

List all followed entities for the current tenant.

Query parameters
filterstringOptional

Filter using prefix syntax:

  • entity_type:: filter by entity type (e.g., entity_type:vulnerability)
  • uuid:: filter by UUID prefix
sortstringOptional

Field to sort by

Default: created_atPattern: ^(uuid|created_at|updated_at|entity_type)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1Optional

Maximum number of items to return

Default: 50
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/followed_entities

hashtag
Trending Diff Endpoint

get

Compare trending attack patterns between two adjacent time periods.

"Trending" is defined as the top N entities by mention count, where N is controlled by the trending_limit parameter (default: 10).

Uses a sliding window approach where the current period ends at now, and the baseline period ends where the current period starts.

Returns items categorized as:

  • newly_trending: In top N current but not in top N baseline

  • no_longer_trending: In top N baseline but not in top N current

  • still_trending: In top N for both periods

Example with window=1d, trending_limit=20:

  • current_period: (now - 1 day) to now, top 20 by mentions

  • baseline_period: (now - 2 days) to (now - 1 day), top 20 by mentions

Query parameters
windowstringOptional

Time window for comparison. Format: '' where unit is 'd' (days) or 'h' (hours). Examples: '1d', '12h', '7d'. Maximum: 30d or 720h. Default: '1d'.

Default: 1dPattern: ^\d+[dh]$
trending_limitinteger · min: 1 · max: 100Optional

Maximum number of entities to consider as 'trending' per period. Only the top N entities by mention count are compared. Default: 10.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/attack_patterns/trending/diff

hashtag
Execute Integration Action

post

Execute an action on an integration.

Available actions depend on the integration type's capabilities:

  • test: Test the integration connection

  • execute: Execute an outbound action (e.g., send message)

Path parameters
integration_uuidstring · uuidRequired
actionstringRequired
Body
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Responseany
post
/v1/integrations/{integration_uuid}/actions/{action}
No content

hashtag
Current Events Dashboard

get
Query parameters
sortstringOptional

Field to sort by - either created_at or updated_at

Default: created_atPattern: ^(created_at|updated_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
Responses
chevron-right
200

Successful Response

application/json
get
/v1/dashboards/current-events

hashtag
Content Chunks Search

get

For agent to search content chunks by embedding

Query parameters
filterstringOptional

A string used to filter content chunks. The filter will be conducted within the content chunk embeddings.

limitinteger · min: 1Optional

The maximum number of items to return.

Default: 10
Responses
chevron-right
200

Successful Response

application/json
get
/v1/content_chunks/search

hashtag
Content Chunks Index

get
Query parameters
filterstringOptional

A string used to filter content chunks. The filter will be conducted within the content chunk embeddings.

sortstringOptional

Field to sort by - either created_at, updated_at or analyzed_at

Default: created_atPattern: ^(created_at|updated_at|analyzed_at)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
labelsstring[]Optional

Filter by topic labels (e.g., malware, ransomware, vulnerability). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
format_labelsstring[]Optional

Filter by format labels (e.g., blog_post, news_article, research_paper). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
source_type_labelsstring[]Optional

Filter by source type labels (e.g., government_advisory, threat_intel_vendor). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
depth_labelsstring[]Optional

Filter by depth labels (e.g., technical_deep_dive). Multiple values use OR matching. Combined with other label category params using AND.

Default: []
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/content_chunks

hashtag
Observables Index

get

List all observables with pagination and filtering.

Query parameters
filterstringOptional

Filter using prefix syntax:

  • type:: filter by observable type prefix or exact match (e.g., type:ip or type:ip.v4)
  • name:: filter by observable name (case insensitive)
  • uuid:: filter by UUID (partial match)
  • If no prefix is provided, filters by name
sortstringOptional

Field to sort by

Default: uuidPattern: ^(uuid|created_at|updated_at|type|name)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1Optional

Maximum number of items to return

Default: 100
scopestringOptional

Scope filter to optionally limit the results to global or tenant data. If no scope is provided, then both global and tenant data are returned. The scope can be one of the following: - global: only global data

  • tenant: only tenant-specific data
Pattern: ^(global|tenant)$
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/observables

hashtag
Get Opinions By Observable Uuid

get

Get opinions for observable (via UUID lookup).

Returns detailed opinion models with reference_uuid populated via batch hydration (single query for all references instead of N+1).

Path parameters
uuidstringRequired

Observable UUID

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: uuidPattern: ^(uuid|created_at|published_at|observable_type|source)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
scopestringOptional

Scope filter to optionally limit the results to global or tenant data. The scope can be one of the following: - global: only global data

  • tenant: only tenant-specific data If no scope is provided, then the first matching Observable from global and tenant data, with tenant data preferred first.
Pattern: ^(global|tenant)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/observables/{uuid}/opinions

hashtag
Get Followed Topic By Uuid

get

Get a specific followed topic by UUID.

Path parameters
uuidstringRequired

Followed topic UUID

Responses
chevron-right
200

Successful Response

application/json
get
/v1/followed_topics/{uuid}

hashtag
Get Followed Entity By Uuid

get

Get a specific followed entity by UUID.

Path parameters
uuidstringRequired

Followed entity UUID

Responses
chevron-right
200

Successful Response

application/json
get
/v1/followed_entities/{uuid}

hashtag
Bulk Set Followed Topics

put

Replace all followed topics with the provided list.

Body
Responses
chevron-right
200

Successful Response

application/json
put
/v1/followed_topics

hashtag
Bulk Set Followed Entities

put

Replace all followed entities with the provided list.

Body
Responses
chevron-right
200

Successful Response

application/json
put
/v1/followed_entities

hashtag
Get Export Url By Uuid

get

Get a signed URL for a specific export by export UUID.

Path parameters
uuidstringRequired
Query parameters
expires_ininteger · min: 300 · max: 86400Optional

Signed URL expiration time in seconds (300-86400)

Default: 86400
Responses
chevron-right
200

Successful Response

application/json
get
/v1/exports/{uuid}

hashtag
Lookup Detection Signature

get
Path parameters
identifierstringRequired

The unique UUID of the detection signature to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/detection_signatures/{identifier}

hashtag
Lookup Content Chunk

get

Retrieve a reference by its identifier.

  • identifier: The unique hash of the URL or UUID to retrieve the reference for.

This endpoint returns the reference object associated with the given URL hash. If no reference is found, a 404 error is returned.

Path parameters
identifierstringRequired

The unique hash of the URL or UUID to retrieve the reference for

Responses
chevron-right
200

Successful Response

application/json
get
/v1/content_chunks/{identifier}

hashtag
Single Attack Pattern

get

Get a single attack pattern by UUID, MITRE ATT&CK ID, or name.

Path parameters
identifierstringRequired

The unique UUID, MITRE ATT&CK ID (e.g., T1566), or name of the attack pattern to retrieve

Responses
chevron-right
200

Successful Response

application/json
get
/v1/attack_patterns/{identifier}

hashtag
Attack Patterns Index

get

Endpoint to browse attack patterns (MITRE ATT&CK techniques), with filters on various criteria.

Query parameters
filterstringOptional

A string used to filter attack patterns. It can start with specific prefixes to indicate the type of filter:

  • mitre_id:: Filter by MITRE ATT&CK ID (e.g., 'mitre_id:T1566').
  • tactic:: Filter by tactic (e.g., 'tactic:initial-access').
  • name:: Filter by name (partial match, case-insensitive).
  • subtechnique:: Filter by subtechnique status ('subtechnique:true' or 'subtechnique:false').
  • uuid:: Filter by UUID. If no prefix is provided, it defaults to a name filter.
offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0
sortstringOptional

Field to sort by - name, mitre_attack_id, created_at, updated_at, trending_1d, trending_7d, or trending_30d

Default: created_atPattern: ^(name|mitre_attack_id|created_at|updated_at|trending_1d|trending_7d|trending_30d)$
orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$
limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100
created_at__gteany ofOptional

Filter on the created_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
created_at__ltany ofOptional

Filter on the created_at field for items less than the given value

string · date-timeOptional
or
nullOptional
updated_at__gteany ofOptional

Filter on the updated_at field for items greater than or equal to the given value

string · date-timeOptional
or
nullOptional
updated_at__ltany ofOptional

Filter on the updated_at field for items less than the given value

string · date-timeOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
get
/v1/attack_patterns

hashtag
Create Followed Entity

post

Create a new followed entity.

Body
entity_typestringRequired

Type of entity being followed

entity_uuidstring · uuidRequired

UUID of the entity being followed

Responses
post
/v1/followed_entities

hashtag
Delete Followed Entity

delete

Delete a followed entity.

Path parameters
uuidstringRequired

Followed entity UUID

Responses
chevron-right
200

Successful Response

application/json
Responseany
delete
/v1/followed_entities/{uuid}
No content

hashtag
Update Followed Entity

patch

Update a followed entity.

Path parameters
uuidstringRequired

Followed entity UUID

Body
entity_typeany ofOptional

Type of entity being followed

stringOptional
or
nullOptional
entity_uuidany ofOptional

UUID of the entity being followed

string · uuidOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/followed_entities/{uuid}

hashtag
Create Followed Topic

post

Create a new followed topic.

Body
topicstring · min: 1 · max: 255Required

Topic to follow

Responses
post
/v1/followed_topics

hashtag
Delete Followed Topic

delete

Delete a followed topic.

Path parameters
uuidstringRequired

Followed topic UUID

Responses
chevron-right
200

Successful Response

application/json
Responseany
delete
/v1/followed_topics/{uuid}
No content

hashtag
Update Followed Topic

patch

Update a followed topic.

Path parameters
uuidstringRequired

Followed topic UUID

Body
topicany ofOptional

Topic to follow

string · min: 1 · max: 255Optional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
patch
/v1/followed_topics/{uuid}

hashtag
Single Malware Mentions

get
Path parameters
identifierstringRequired

The unique UUID or name of the malware to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|source)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'user_generated_content:true' or 'user_generated_content:false')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware/{identifier}/mentions

hashtag
Single Malware Observables

get

Get observables (IoCs) linked to a specific malware.

Returns indicators of compromise such as IP addresses, domains, hashes, and URLs that have been associated with this malware.

Path parameters
identifierstringRequired

The unique UUID or name of the malware to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(type|name|created_at|published_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'type:ip.v4', 'type:domain', 'type:hash.sha256')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware/{identifier}/observables

hashtag
Single Malware Vulnerabilities

get

Get vulnerabilities exploited by a specific malware.

Returns vulnerabilities that have been associated with this malware through threat intelligence sources.

Path parameters
identifierstringRequired

The unique UUID or name of the malware to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 500Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(cve_id|created_at|updated_at|published_at|cvss_base_score)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/malware/{identifier}/vulnerabilities

hashtag
Single Organization Mentions

get
Path parameters
identifierstringRequired

The unique UUID or name of the organization to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|source)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'user_generated_content:true' or 'user_generated_content:false')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/organizations/{identifier}/mentions

hashtag
Single Organization Products

get

Get all products produced by an organization (formerly vendor products).

Path parameters
identifierstringRequired

The unique UUID or name of the organization to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: created_atPattern: ^(name|created_at|updated_at)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
Responses
chevron-right
200

Successful Response

application/json
get
/v1/organizations/{identifier}/products

hashtag
Single Product Mentions

get
Path parameters
identifierstringRequired

The unique UUID of the technology product to retrieve

Query parameters
offsetintegerOptional

Number of items to skip

Default: 0
limitinteger · min: 1 · max: 1000Optional

Maximum number of items to return

Default: 100
sortstringOptional

Field to sort by

Default: published_atPattern: ^(created_at|updated_at|published_at|source)$
orderstringOptional

Sort order

Default: descPattern: ^(asc|desc)$
filterstringOptional

Filter parameter (e.g., 'user_generated_content:true' or 'user_generated_content:false')

Responses
chevron-right
200

Successful Response

application/json
get
/v1/products/{identifier}/mentions

Last updated