API Reference

Get a list of entities.

get
https://cti.example.com/api/v2/entities

Required permissions

  • read entities

Optional permissions

  • read extracts Required to access the observables attached with an entity

  • read taxonomies Required to access the taxonomies associated with an entity

  • read attack Required to access the MITRE ATT&CKs associated with an entity

  • read intel-sets Required to access the datasets associated with an entity

  • read incoming-feeds Required to access the incoming feeds associated with an entity

  • read outgoing-feeds Required to access the outgoing feeds associated with an entity

Query Params
int32
≥ 1

Maximum number of items to be returned

int32
≥ 0

Return results starting from the specified (zero-based) index

string

Comma-separated list of fields to sort on. Prefix a field with the minus "-" sign if you intend to apply descending sorting to it

boolean

Set this parameter to false if you want to only retrieve the number of objects matching the query

string

Comma-separated list of attributes to be returned. Nested attributes are separated by dots - e.g. data.title

string

Filter by entity internal UUID

string

Filter by entity type

string

Filter by STIX ID

string

Filter by title

string

Filter by description

string

Filter by test mechanism type

string

Filter by producer identity

string

Filter by producer roles

string

Filter by entity alias

string

Filter by entity half-life

string

Filter by source(s)

string

Filter by incoming feed ID/URL

string

Filter by outgoing feed IDs/URLs

string

Filter by entity source reliability

string

Filter by tags

string

Filter by taxonomy node IDs/URLs

string

To filter out all unresolved entities, the correct filter is filter[!meta.is_unresolved_idref]=true.

string

Filter by TLP color

string

Filter by MITRE attack IDs/URLs. The filter also targets the parents. So if an entity is classified with a technique, filtering on the parent tactic is going to include such entity.

string

Filter by MITRE attack IDs/URLs. The filter also targets the explicitly classified ATT&CK. So if an entity is classified with a technique, filtering on the parent tactic is NOT going to include such entity.

string

Filter by dataset IDs/URLs. When multiple datasets are provided, if all of them are non-relational datasets, there is a single search query executed on the server, combining all filters. But, in case of multiple datasets that include at least a relational dataset, a union query is run on the server. A union query handles combination of both entity queries and entity-relational queries. The fetching from the contained queries is done sequentially by the given order of queries in the list... E.g. if queries=[q_1, q_2,..., q_m], union query will first iterate over result set of q_1, then over results of q_2, and finally over results of q_m. Due to this simplistic approach, there are some limitations of union query fetching mechanism

  • results are sorted per each individual contained query, and not per the union query; - there might be duplicated items in result, because they occur in multiple contained queries.
string

Filter by observable IDs/URLs

string

Full-text or faceted search with logic operators like AND and OR. The value examples follow.

  • "IoT Malware"
  • data.title:malware OR data.description:APT17
  • attached_files: *

The language of the search queries is Lucene and the capability is the same as the one in Intelligence Center UI. Read more in its documentation.

Responses

Updated 5 months ago

Language
Credentials
Response 
Click Try It! to start a request and see the response here! Or choose an example:
application/json
Updated 5 months ago