What this endpoint does

Performs automated triage on a batch of up to 1000 indicators by evaluating them against a specific risk context — malware, phishing, or c2 (command and control). Unlike the SOAR: Enrich endpoint which only returns risk scores, this endpoint also produces a boolean verdict indicating whether any submitted indicator exceeds a risk score threshold for the chosen context. The threshold defaults to the context's configured value (available via the SOAR: Get Contexts endpoint) but can be overridden per request. Submit indicators grouped by type — IP addresses, domains, URLs, file hashes, CVE identifiers, or companies by domain. The optional phantom format parameter produces output compatible with Splunk SOAR integrations.

Response data

Returns a triage object containing the boolean verdict, the threshold used, the evaluation context, and the minimum and maximum context-specific scores observed across all submitted indicators. Alongside the triage verdict, a results array provides per-entity risk details identical to the SOAR: Enrich response — each entity's overall risk score (0-100), context sub-scores for malware, phishing, public, and c2 categories, and triggered risk rules with evidence. The verdict is determined by comparing the context-specific score (not the overall risk score) against the threshold.