List Leads
Gets a list of all existing leads.
Basic Parameters
| Parameter | Description |
|---|---|
| Assignee | Return only leads with specific assignee(s). The expected value is the assignee's email address or a comma separated list of addresses. |
| Data Source | Return only leads involving the specified, comma separated list of data sources. Note: Each lead is enriched using multiple data sources. Specifying a data source in this parameter will result in leads where the data source is the main source used to create the lead, but also leads in which the data source was used for enrichment only. |
| Detector | Return only leads originating from the specified, comma separated list of detectors. |
| Investigation State | Return only leads in the specified auto-investigation state(s):Initial - The lead is enriched with initial investigation results, including entities and targets involved in an attack, such as specific individuals, servers, or executables and a base score.In Progress - Advanced auto-investigation is in progress, the lead might be rescored or ignored based on the results.Ignored - The lead was ignored by a custom ignore rule, therefore no additional investigation has been conducted.Completed - The investigation is completed. Score and lead attributes are available. Note: When using Updated Since and Updated Until parameters, this parameter is mandatory. |
| Risk | Return only leads with the specified risk level(s). |
| Sort | Determine how leads will be sorted. When specifying a list of values, leads will be sorted first by the first value specified, and inside it, by the second value, etc. Use desc and asc to determine whether the sorting will be in descending or ascending order.For example: "detection_time,desc", "created_at,desc".Available values: scoreevent_timedetection_timeuuidassigneedetector |
| Source | Return only leads from the specified source. |
| Status | Return only leads in the specified status(es). |
| UUIDs | In order to return only specific leads, provide a comma separated list of lead IDs. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Context UUID | A unique identifier for the context, which is used to retrieve leads related to that specific context. |
| Include Attributes | Include lead attributes in the response. |
| Limit | Define the maximum number of items to be returned in the paged response. |
| Offset | The starting point for the paged response. |
| Organization ID | Return only results relevant to the specified organization ID. An organization ID is defined by Hunters during tenant provisioning. Note: This field is relevant to multi-tenant applications only. |
| Organization Name | Return only leads relevant to the specified organization. Note: This field is relevant to multi-tenant applications only. |
| Return Only Alerts | Set to true to return only leads that matured into Alerts, and to false to return all leads. |
| Show Null Status | If set to true, all leads without a set status will be returned with status = null instead of "open". |
| Since | Return only leads that were created after the specified date. To create a timeframe, use this with the Until parameter. When no value is selected, the default will be 7 days ago. |
| Threat UUID | A unique identifier for a specific threat, which is used to retrieve leads associated with that threat. |
| Until | Return only leads that were created before the specified date. To create a timeframe, use this with the Since parameter. When no value is selected, the default will be until today. |
| Updated Since | This parameter is used together with Investigation State and Updated Until to return only leads that transitioned to a specific investigation status inside a specific timeframe. For instance: leads whose investigation status became ignored between January 1st to January 10. Note: When this is used, Investigation State is mandatory! |
| Updated Until | This parameter is used together with Investigation State and Updated Since to return only leads that transitioned to a specific investigation status within a specific timeframe. When no value is provided, the default is the current date and time.For instance: leads whose investigation status became ignored between January 1st to January 10. Note: When this is used, Investigation State and Updated Since are mandatory! |
Example Output
{
"code": 200,
"type": "OK",
"results": [
[
{
"uuid": "17586dfb-1c8e-4331-a07f-09531ae47c5e",
"event_time": "2023-06-07T07:01:27.000000+00:00",
"score": 70,
"source": "crowdstrike",
"description": "CrowdStrike detection occurred on Alice-PC-By-Gol, with techniques Bypass User Account Control,Software Deployment Tools",
"status": "open",
"detection_time": "2023-06-07T07:22:48.385000+00:00",
"risk": "high",
"comments": [
{
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"text": "A false alarm.",
"writer": "Researcher",
"created_at": "2019-08-24T18:05:17.129Z"
}
],
"detector": "crowdstrike_detections_fdr",
"data_sources": "crowdstrike-detects",
"investigation_state": "completed",
"threat_uuid": "833d36c9-f886-421d-94ec-5c618e6cb590",
"is_alert": false,
"threat_description": "Remote code execution vulnerability discovered in Apache Commons Text (CVE-2022-42889) alert was generated by Orca",
"classification": "malicious",
"data_flow_tags": [
"EC1 data"
],
"detector_title": "Execution of Highly Anomalous Binary",
"detector_id": "ee3584f4-3588-4838-b358-3d84c2c8693d",
"threat_attributes": null,
"context_uuid": "03291158-ef89-402a-bcbc-2267f85c6165",
"context_attributes": null,
"lead_link": "https://app.hunters.ai/lead/17586dfb-1c8e-4331-a07f-09531ae47c5e?organization=DEMO",
"threat_link": "https://app.hunters.ai/threat/833d36c9-f886-421d-94ec-5c618e6cb590?collaborationOpen=false&organization=DEMO"
}
]
]
}
Workflow Library Example
List Leads with Hunters and Send Results Via Email
Preview this Workflow on desktop