API Reference

Invoke a relational search query.

post
https://cti.example.com/api/v2/entities/relational-search

Relational search allows users to find entities which have relations to other entities, while both entity sets have specific search criteria.

The query representing nodes: query_1.es_query, or query_2.es_query are native elasticsearch supported query objects.

It is possible to search:

  1. Only directly related entities
  2. Both entities related directly or indirectly through any intermediary entity

For example, a relational query looking for "all ttps with tag 'bar' linked to indicators with tag 'apt-x'", will be:

{
    "data":{
        "query_1": {
            "es_query": {
                "query_string": {
                    "query": "data.type:ttp AND meta.tags: bar", "lenient": true,
                }
            }, "node_type": "entity",
        }, "query_2": {
            "es_query": {
                "query_string": {
                    "query": "data.type:indicator AND meta.tags: apt-x",
                    "lenient": true,
                }
            }, "node_type": "entity",
        }, "relation_query": {"query_string": {"query": "*", "lenient": true}},
        "output": "query_1",
    }
}

Required permissions

  • read entities
Query Params
int32
≥ 1

Maximum number of items to be returned

int32
≥ 0

Return results starting from the specified (zero-based) index

string

Comma-separated list of fields to sort on. Prefix a field with the minus "-" sign if you intend to apply descending sorting to it

string

The page[cursor] parameter is used to retrieve the next page of resources with a few advantages compare to offset strategy:

  1. Faster to run as the already returned resources are skipped
  2. The guarantee that a previous resource will not be returned again
  3. The capacity to fetch all the results without a depth limit imposed by the system

Using page[cursor] requires multiple requests with the same query and sort values. The first step is to run an initial request without any cursor value. For each request, the cursor value to use for the next page is returned as part of the response body.

Body Params
data
object
Responses

Updated 5 months ago

Language
Credentials
Response 
Click Try It! to start a request and see the response here! Or choose an example:
application/json
Updated 5 months ago