Skip to main content

List Leads

Gets a list of all existing leads.

Basic Parameters

ParameterDescription
AssigneeReturn only leads with specific assignee(s). The expected value is the assignee's email address or a comma separated list of addresses.
Data SourceReturn only leads involving the specified, comma separated list of data sources.

Note: Each lead is enriched using multiple data sources. Specifying a data source in this parameter will result in leads where the data source is the main source used to create the lead, but also leads in which the data source was used for enrichment only.
DetectorReturn only leads originating from the specified, comma separated list of detectors.
Investigation StateReturn only leads in the specified auto-investigation state(s):

Initial - The lead is enriched with initial investigation results, including entities and targets involved in an attack, such as specific individuals, servers, or executables and a base score.
In Progress - Advanced auto-investigation is in progress, the lead might be rescored or ignored based on the results.
Ignored - The lead was ignored by a custom ignore rule, therefore no additional investigation has been conducted.
Completed - The investigation is completed. Score and lead attributes are available.

Note: When using Updated Since and Updated Until parameters, this parameter is mandatory.
RiskReturn only leads with the specified risk level(s).
SortDetermine how leads will be sorted. When specifying a list of values, leads will be sorted first by the first value specified, and inside it, by the second value, etc. Use desc and asc to determine whether the sorting will be in descending or ascending order.

For example: "detection_time,desc", "created_at,desc".

Available values:
score
event_time
detection_time
uuid
assignee
detector
SourceReturn only leads from the specified source.
StatusReturn only leads in the specified status(es).
UUIDsIn order to return only specific leads, provide a comma separated list of lead IDs.

Advanced Parameters

ParameterDescription
Context UUIDA unique identifier for the context, which is used to retrieve leads related to that specific context.
Include AttributesInclude lead attributes in the response.
LimitDefine the maximum number of items to be returned in the paged response.
OffsetThe starting point for the paged response.
Organization IDReturn only results relevant to the specified organization ID. An organization ID is defined by Hunters during tenant provisioning.

Note: This field is relevant to multi-tenant applications only.
Organization NameReturn only leads relevant to the specified organization.

Note: This field is relevant to multi-tenant applications only.
Return Only AlertsSet to true to return only leads that matured into Alerts, and to false to return all leads.
Show Null StatusIf set to true, all leads without a set status will be returned with status = null instead of "open".
SinceReturn only leads that were created after the specified date. To create a timeframe, use this with the Until parameter. When no value is selected, the default will be 7 days ago.
Threat UUIDA unique identifier for a specific threat, which is used to retrieve leads associated with that threat.
UntilReturn only leads that were created before the specified date. To create a timeframe, use this with the Since parameter. When no value is selected, the default will be until today.
Updated SinceThis parameter is used together with Investigation State and Updated Until to return only leads that transitioned to a specific investigation status inside a specific timeframe.

For instance: leads whose investigation status became ignored between January 1st to January 10.

Note: When this is used, Investigation State is mandatory!
Updated UntilThis parameter is used together with Investigation State and Updated Since to return only leads that transitioned to a specific investigation status within a specific timeframe. When no value is provided, the default is the current date and time.

For instance: leads whose investigation status became ignored between January 1st to January 10.

Note: When this is used, Investigation State and Updated Since are mandatory!

Example Output

{
"code": 200,
"type": "OK",
"results": [
[
{
"uuid": "17586dfb-1c8e-4331-a07f-09531ae47c5e",
"event_time": "2023-06-07T07:01:27.000000+00:00",
"score": 70,
"source": "crowdstrike",
"description": "CrowdStrike detection occurred on Alice-PC-By-Gol, with techniques Bypass User Account Control,Software Deployment Tools",
"status": "open",
"detection_time": "2023-06-07T07:22:48.385000+00:00",
"risk": "high",
"comments": [
{
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"text": "A false alarm.",
"writer": "Researcher",
"created_at": "2019-08-24T18:05:17.129Z"
}
],
"detector": "crowdstrike_detections_fdr",
"data_sources": "crowdstrike-detects",
"investigation_state": "completed",
"threat_uuid": "833d36c9-f886-421d-94ec-5c618e6cb590",
"is_alert": false,
"threat_description": "Remote code execution vulnerability discovered in Apache Commons Text (CVE-2022-42889) alert was generated by Orca",
"classification": "malicious",
"data_flow_tags": [
"EC1 data"
],
"detector_title": "Execution of Highly Anomalous Binary",
"detector_id": "ee3584f4-3588-4838-b358-3d84c2c8693d",
"threat_attributes": null,
"context_uuid": "03291158-ef89-402a-bcbc-2267f85c6165",
"context_attributes": null,
"lead_link": "https://app.hunters.ai/lead/17586dfb-1c8e-4331-a07f-09531ae47c5e?organization=DEMO",
"threat_link": "https://app.hunters.ai/threat/833d36c9-f886-421d-94ec-5c618e6cb590?collaborationOpen=false&organization=DEMO"
}
]
]
}

Workflow Library Example

List Leads with Hunters and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop