What this endpoint does

This endpoint searches for technically validated relationships between threat intelligence entities in the Recorded Future Intelligence Cloud — connections established through sandbox analysis, infrastructure analysis, network traffic analysis, and Insikt Group research (not mere co-occurrence in articles). You can query links for one or multiple entities in a single call, and filter results by link category (Actors, Tools & TTPs; Indicators & Detection Rules; Victims & Exploit Targets), source type (technical or insikt), entity type, recency timeframe, and specific analysis event types. Use the Links: Metadata Sections, Entities, and Events endpoints to discover valid filter values. For quick single-entity triage, the links enrichment field on entity Lookup endpoints provides the same intelligence in a more compact format combined with other enrichment; use this dedicated Links API when you need filtering, batch queries, per-entity risk scores on linked entities, or graph traversal via the connected_entities filter.

Response data

The response contains an array of results, one per queried entity, each with a flat list of linked entities. Every linked entity includes its type, Recorded Future ID, name, source attribution (technical or insikt), link category section, and entity-specific attributes. For indicator entities (IPs, domains, hashes, URLs), attributes include risk score, criticality level, and risk level. For organizations, a threat_actor boolean flag distinguishes threat actors from victim companies. For MITRE identifiers, a display_name provides the human-readable technique name. The flat per-entity structure with inline risk scores makes this response particularly well-suited for LLM consumption and automated triage.