The Links API allows threat analysts and security engineers fine-grained, detailed access to Links data, a graph of Recorded Future intelligence data with high confidence interrelationships between entities. Learn more about Links here. Search for links related to one or more entities. The Entity Match API may be used to determine the ID for a certain entity.
This operation supports a variety of filters than can be used to control either the output or the sources used.
In order to filter the output, sections may be used to only return links categorized as for example "Victims & Exploit Targets", or entity_types to only return certain types of entities, like IP addresses. See the metadata endpoint for possible values.
Sources are grouped into two types, technical analysis and Insikt Group research. Technical link sources may be further filtered by specifying only the relevant event types, or a timeframe for event recency (up to a maximum of 90 days from today).
The depth of the search is abstracted into defined scopes. A larger scope may yield more links, at the cost of increased latency. A maximum number of results per entity type may also be defined.
Results are grouped on the input entity ID, and may include an error property if the search for that particular entity failed.
Linked entities are always returned with a basic set of properties as well as a variable set of attributes that depend on the entity type. For example, indicators will have risk data, MITRE ATT&CK identifiers will have a more detailed name and organizations, companies and persons will have a boolean flag for whether or not they are threat actors.