What this endpoint does

This endpoint queries your organization's enriched detection history across all Collective Insights sources: events submitted via the Collective Insights: Submit Detections endpoint, Recorded Future integrations and connectors (including Autonomous Threat Operations results), and Enterprise Sandbox submissions. You can filter results by indicator type, associated malware families, threat actors, MITRE ATT&CK codes (with inclusion and exclusion logic), detection type, submission method, and time range. Use pagination parameters to iterate through large result sets. For an overview of how submitted detections flow through the enrichment pipeline, consult the Collective Insights: Overview page.

Response data

Each event in the response includes the original indicator with its risk score at detection time, enrichment data linking the indicator to known malware families, threat actors, and MITRE ATT&CK techniques (as Recorded Future entity IDs), along with the detection context such as the submitting integration, detection type, and source-specific details (e.g., device name, process information from Defender XDR). Use the Entity: Match endpoint to retrieve additional details for Recorded Future entity IDs in the response. The response includes total match counts and a pagination cursor for retrieving subsequent pages.

200Enriched events matching the search query

400Client error

401Client error

403Client error

429Too many requests