Receiving Signals
20 March 2025
GET https://signals.gse.live/feed/24hr
24 Hour Signals
All signals made available to you from reported threat feeds on the GSE imported in the last 24hrs. This provides the most powerful query support of all the APIs and is designed for consumers who are ingesting signals ongoingly in near real time.
Request Attributes
Optional attributes
- Name
idFrom- Type
- integer
- Description
- Return signals starting from the supplied id value (max 24 Hrs Ago)
Results will be sorted ascending by id
Response Attributes
- Name
id- Type
- number
- Description
- Unique identifier for the record.
- Name
signal- Type
- string
- Description
- The suspicious URL or signal
(e.g., a phishing URL)
- Name
source- Type
- string
- Description
- Source that reported the signal
(e.g., a threat intel provider)
- Name
signal_type- Type
- string
- Description
- Type of signal
Type of signal (url, ip, domain, etc.)
- Loading options....
- Name
abuse_type- Type
- string
- Description
- Type of malicious activity.
eg. phishing, malware.
- Loading options....
- Name
report_date- Type
- string (datetime)
- Description
- Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS
- Name
import_date- Type
- string (datetime)
- Description
- Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.
- Name
predictive- Type
- number (boolean)
- Description
- Whether the signal was generated by predictive analysis. "1" = true ,"0" = false
- Name
confidence_score- Type
- number
- Description
- Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95
- Name
status- Type
- string
- Description
- Current status of the signal
e.g. new, feedback_mitigation
- Loading options....
- Name
extra_data- Type
- object
- Description
- An optional extra data field to further qualify the signal according to it's status: For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal For signals with a status of feedback this will be a copy of the feedback report received for the signal For signals with a status of detected_mitigation this will contain information about which mitigation type was detected.
Request
GET · /24hr
curl -G https://signals.gse.live/feed/24hr \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d idFrom=[[value]] \GET https://signals.gse.live/feed/30day
30 Day Signals
Signals made available to you from reported threat feeds or via group sharing on the GSE within the last 30 days.
Request Attributes
Either attributes (one must be supplied)
- Name
idFrom- Type
- integer
- Description
- Return signals starting from the supplied value (max 30 days ago)
Results will be sorted ascending by id
- Name
reportDateFrom- Type
- datetime
- Description
- Return signals with a report date starting from the supplied value (max 30 days ago)
Results will be sorted ascending by report date.
Optional attributes
- Name
abuseType- Type
- string
- Description
- Filter the results to the supplied abuse types (comma separated) from the following list
e.g. phishing,malware
- Loading options....
- Name
signalType- Type
- string
- Description
- Filter the results to the supplied signal types (comma separated) from the following list
e.g. url,hostname
- Loading options....
- Name
source- Type
- string
- Description
- A valid source key referring to one of the sources activated in your account.
e.g. urlhaus,cda
- Name
status- Type
- string
- Description
- Filter the results to the supplied statuses (comma seperated) from the following list
e.g. new,feedback_mitigation
- Loading options....
- Name
predictive- Type
- boolean
- Description
- Filter the results to either predictive / non-predictive results only
Either 1 or 0
- Name
limit- Type
- integer
- Description
- Limit the number of results to the supplied number
Defaults to 50. Max 10000
- Name
offset- Type
- integer
- Description
- Offset the results by the supplied number
Defaults to 0
Response Attributes
- Name
id- Type
- number
- Description
- Unique identifier for the record.
- Name
signal- Type
- string
- Description
- The suspicious URL or signal
(e.g., a phishing URL)
- Name
source- Type
- string
- Description
- Source that reported the signal
(e.g., a threat intel provider)
- Name
signal_type- Type
- string
- Description
- Type of signal
Type of signal (url, ip, domain, etc.)
- Loading options....
- Name
abuse_type- Type
- string
- Description
- Type of malicious activity.
eg. phishing, malware.
- Loading options....
- Name
report_date- Type
- string (datetime)
- Description
- Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS
- Name
import_date- Type
- string (datetime)
- Description
- Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.
- Name
predictive- Type
- number (boolean)
- Description
- Whether the signal was generated by predictive analysis. "1" = true ,"0" = false
- Name
confidence_score- Type
- number
- Description
- Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95
- Name
status- Type
- string
- Description
- Current status of the signal
e.g. new, feedback_mitigation
- Loading options....
- Name
extra_data- Type
- object
- Description
- An optional extra data field to further qualify the signal according to it's status:
For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal
For signals with a status of feedback this will be a copy of the feedback report received for the signal
For signals with a status of detected_mitigation this will contain information about which mitigation type was detected.
Request
GET · /30day
curl -G https://signals.gse.live/feed/30day \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d idFrom=[[value]] \
-d reportDateFrom=[[value]] \
-d abuseType=[[value]] \
-d signalType=[[value]] \
-d source=[[value]] \
-d status=[[value]] \
-d predictive=[[value]] \
-d limit=[[value]] \
-d offset=[[value]] \GET https://signals.gse.live/feed/source
All Signals By Source
All historical signals for a single source - designed for historical or complete ingestion of a single GSE source.
Request Attributes
Required attributes
- Name
source- Type
- string
- Description
- e.g. cda, google etc.
Optional attributes
- Name
idFrom- Type
- number
- Description
- Signal ID from which to return data from for the supplied source
Response Attributes
- Name
id- Type
- number
- Description
- Unique identifier for the record.
- Name
signal- Type
- string
- Description
- The suspicious URL or signal
(e.g., a phishing URL)
- Name
source- Type
- string
- Description
- Source that reported the signal
(e.g., a threat intel provider)
- Name
signal_type- Type
- string
- Description
- Type of signal
Type of signal (url, ip, domain, etc.)
- Loading options....
- Name
abuse_type- Type
- string
- Description
- Type of malicious activity.
eg. phishing, malware.
- Loading options....
- Name
report_date- Type
- string (datetime)
- Description
- Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS
- Name
import_date- Type
- string (datetime)
- Description
- Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.
- Name
predictive- Type
- number (boolean)
- Description
- Whether the signal was generated by predictive analysis. "1" = true ,"0" = false
- Name
confidence_score- Type
- number
- Description
- Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95
- Name
status- Type
- string
- Description
- Current status of the signal
e.g. new, feedback_mitigation
- Loading options....
- Name
extra_data- Type
- object
- Description
- An optional extra data field to further qualify the signal according to it's status:
For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal
For signals with a status of feedback this will be a copy of the feedback report received for the signal
For signals with a status of detected_mitigation this will contain information about which mitigation type was detected.
Request
GET · /source
curl -G https://signals.gse.live/feed/source \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d source=[[value]] \
-d idFrom=[[value]] \GET https://signals.gse.live/feed/sources
Account Activated Sources
A list of all of the sources which have been activated on your account. This includes all sources which have been granted to you centrally by the GSE and any sources which have been shared with you via Group Sharing.
Response Attributes
- Name
source_key- Type
- string
- Description
- The key for the source
- Name
source_name- Type
- string
- Description
- The name for the source
- Name
involved_groups- Type
- string
- Description
- A comma separated list of group names from which this source has been shared (if applicable) - otherwise this field will be null.
Request
GET · /sources
curl -G https://signals.gse.live/feed/sources \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \GEThttps://signals.gse.live/feed /log
Signal Log
All signal entries received for a given signal, ordered by id
Request Attributes
Required attributes
- Name
signal- Type
- string
- Description
- The signal for which the log is to be generated.
e.g. mydomain.com, https://helloworld.com
Response Attributes
- Name
id- Type
- number
- Description
- Unique identifier for the record.
- Name
signal- Type
- string
- Description
- The suspicious URL or signal
(e.g., a phishing URL)
- Name
source- Type
- string
- Description
- Source that reported the signal
(e.g., a threat intel provider)
- Name
signal_type- Type
- string
- Description
- Type of Signal
Type of signal (url, ip, domain, etc.)
- Loading options....
- Name
abuse_type- Type
- string
- Description
- Type of malicious activity.
eg. phishing, malware.
- Loading options....
- Name
report_date- Type
- string
- Description
- Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS
- Name
import_date- Type
- string
- Description
- Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.
- Name
predictive- Type
- string
- Description
- Whether the signal was generated by predictive analysis. "1" = true ,"0" = false
- Name
confidence_score- Type
- string
- Description
- Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95
- Name
status- Type
- string
- Description
- Current status of the signal
- Loading options....
- Name
extra_data- Type
- object
- Description
- An optional extra data field to further qualify the signal according to it's status: For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal For signals with a status of feedback this will be a copy of the feedback report received for the signal For signals with a status of detected_mitigation this will contain information about which mitigation type was detected.
Request
GET · /log
curl -G https://signals.gse.live/feed/log \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d signal=[[value]] \GETDeprecated https://signals.gse.live/feed/all
All Reported Signals
All signals made available to you from reported threat feeds on the GSE
Request Attributes
Either attributes (one must be supplied)
- Name
idFrom- Type
- integer
- Description
- Return signals starting from the supplied value (max 30 days ago)
Results will be sorted ascending by id
- Name
reportDateFrom- Type
- datetime
- Description
- Return signals with a report date starting from the supplied value (max 30 days ago)
Results will be sorted ascending by report date.
Optional attributes
- Name
abuseType- Type
- string
- Description
- Filter the results to the supplied abuse types (comma separated) from the following list
e.g. phishing,malware
- Loading options....
- Name
signalType- Type
- string
- Description
- Filter the results to the supplied signal types (comma separated) from the following list
e.g. url,hostname
- Loading options....
- Name
source- Type
- string
- Description
- A valid source key referring to one of the sources activated in your account.
e.g. urlhaus,cda
- Loading options....
- Name
status- Type
- string
- Description
- Filter the results to the supplied statuses (comma seperated) from the following list
e.g. new,feedback_mitigation
- Loading options....
- Name
predictive- Type
- boolean
- Description
- Filter the results to either predictive / non-predictive results only
Either 1 or 0
- Name
limit- Type
- integer
- Description
- Limit the number of results to the supplied number
Defaults to 50. Max 10000
- Name
offset- Type
- integer
- Description
- Offset the results by the supplied number
Defaults to 0
Response Attributes
- Name
id- Type
- number
- Description
- Unique identifier for the record.
- Name
signal- Type
- string
- Description
- The suspicious URL or signal
(e.g., a phishing URL)
- Name
source- Type
- string
- Description
- Source that reported the signal
(e.g., a threat intel provider)
- Name
signal_type- Type
- string
- Description
- Type of signal
Type of signal (url, ip, domain, etc.)
- Loading options....
- Name
abuse_type- Type
- string
- Description
- Type of malicious activity.
eg. phishing, malware.
- Loading options....
- Name
report_date- Type
- string (datetime)
- Description
- Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS
- Name
import_date- Type
- string (datetime)
- Description
- Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.
- Name
predictive- Type
- number (boolean)
- Description
- Whether the signal was generated by predictive analysis. "1" = true ,"0" = false
- Name
confidence_score- Type
- number
- Description
- Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95
- Name
status- Type
- string
- Description
- Current status of the signal
e.g. new, feedback_mitigation
- Loading options....
- Name
extra_data- Type
- object
- Description
- An optional extra data field to further qualify the signal according to it's status:
For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal
For signals with a status of feedback this will be a copy of the feedback report received for the signal
For signals with a status of detected_mitigation this will contain information about which mitigation type was detected.
Request
GET · /all
curl -G https://signals.gse.live/feed/all \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d idFrom=[[value]] \
-d reportDateFrom=[[value]] \
-d abuseType=[[value]] \
-d signalType=[[value]] \
-d source=[[value]] \
-d status=[[value]] \
-d predictive=[[value]] \
-d limit=[[value]] \
-d offset=[[value]] \Response
[
{
"id": "100",
"signal": "https://somesignal.com",
"source": "Phishing Provider",
"signal_type": "url",
"abuse_type": "phishing",
"report_date": "2020-01-23 14:24:06",
"import_date": "2024-11-26 15:27:02",
"predictive": "1",
"confidence_score": "95",
"status": "new",
"extra_data": "{"category": "internal", "collection_method": "form_submission"}"
},
// ...
]