SOAR: Triage Batch

post

https://api.recordedfuture.com/soar/v3/triage/contexts/{context_name}

Evaluate up to 1,000 indicators against a specific risk context (malware, phishing, or c2) and return a boolean verdict based on context-specific sub-scores.

Path Params

context_name

string

required

The context in which to evaluate the given entities. Available contexts can be fetched using the separate endpoint.

Query Params

format

string

enum

Allows for an output format suitable for Splunk SOAR (previously "Phantom"). If no value is given, the default format (used in the Enrichment endpoint) will be used.

Allowed:

metadata

boolean

Defaults to false

Include metadata in response. Annotates the response with additional metadata explaining the response data elements.

threshold

integer

Determines which risk score should be used to deem an entity risky. Each context has its own default value and depends on the context.

threshold_type

string

enum

Defaults to max

Determines if the set of entities are deemed risky if a single entity is above the threshold (max) or if all entities have to be above the threshold (min). The default is specified by the context but is max for all contexts currently defined.

Allowed:

Body Params

array of strings

IPs to enrich

domain

array of strings

Domains to enrich

domain

url

array of strings

URLs to enrich

url

hash

array of strings

Hashes to enrich

hash

vulnerability

array of strings

Vulnerabilities to enrich

vulnerability

companybydomain

array of strings

Companies to enrich, identified by their domain name.

companybydomain

Response

Language

Credentials

Header

Loading…

Response

Click Try It! to start a request and see the response here! Or choose an example:

application/json

200output