Receiving Signal Reports via API

20 March 2025

These APIs facilitate the receiving of signal reports from the GSE using standard GET requests.

Signal reports are returned in unprocessed format as received from e.g. the Sending Signals APIs to facilitate near-realtime exchange of data. Reports will be returned only for those sources for which you have been granted access either within the Marketplace (for general feeds) or via Group Sharing. Unless filtered further these APIs will return new reports as well as feedback reports which have been received for signals.

For bulk access, the 24 hour Signals API provides the most flexibility for querying allowing support for simple attribute filtering and advanced queries. This API is recommended for consumers who are querying the GSE frequently for near-realtime access to signals and/or want to do advanced filtering on results e.g. for brand matching or other specific restrictive searches. The 30 Day Signals API allows access to more data but for performance reasons has fixed parameter based filtering.

For historical access to the full signal report archive the All Signals By Source based API allows for sequential paged access to the reports for a single source useful for one time batch jobs to bootstrap analysis. The Account Activated Sources enumerates the list of source keys available to your account for facilitating access to the Source based API.

For single signals the Signal Log API provides access to all signal reports for a signal. This will return a chronological list of all reports including new and feedback reports for the given signal.

GET https://signals.gse.live/feed/24hr

24 Hour Signals

All signals made available to you from reported threat feeds on the GSE imported in the last 24hrs. This provides the most powerful query support of all the APIs and is designed for consumers who are ingesting signals ongoingly in near real time.

Request Attributes

Optional attributes

Name
idFrom
Type
integer
Description
Return signals starting from the supplied id value (max 24 Hrs Ago)
Results will be sorted ascending by id

Response Attributes

Name
id
Type
number
Description
Unique identifier for the record.

Name
signal
Type
string
Description
The suspicious URL or signal
(e.g., a phishing URL)

Name
source
Type
string
Description
Source that reported the signal
(e.g., a threat intel provider)

Name
signal_type
Type
string
Description
Type of signal
Type of signal (url, ip, domain, etc.)
Loading options....

Name
abuse_type
Type
string
Description
Type of malicious activity.
eg. phishing, malware.
Loading options....

Name
report_date
Type
string (datetime)
Description
Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS

Name
import_date
Type
string (datetime)
Description
Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.

Name
predictive
Type
boolean
Description
Whether the signal was generated by predictive analysis. "1" = true ,"0" = false

Name
confidence_score
Type
number
Description
Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95

Name
status
Type
string
Description
Current status of the signal
e.g. new, feedback_mitigation
Loading options....

Name
extra_data
Type
object
Description
An optional extra data field to further qualify the signal according to it's status:

For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal

For feedback status signals this will be a copy of the feedback report received for the signal

Request

GET · /24hr

curl -G https://signals.gse.live/feed/24hr \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d idFrom=[[value]] \

Response

[
  {
    "id": 100,
    "signal": "https://somesignal.com",
    "source": "Phishing Provider",
    "signal_type": "url",
    "abuse_type": "phishing",
    "report_date": "2020-01-23 14:24:06",
    "import_date": "2024-11-26 15:27:02",
    "predictive": 1,
    "confidence_score": 95,
    "status": "new",
    "extra_data": {"category": "internal", "report_type": "form_submission"}
  },
  // ...
]

GET https://signals.gse.live/feed/30day

30 Day Signals

Signals made available to you from reported threat feeds or via group sharing on the GSE within the last 30 days.

Request Attributes

Either attributes (one must be supplied)

Name
idFrom
Type
integer
Description
Return signals starting from the supplied value (max 30 days ago)
Results will be sorted ascending by id

Name
reportDateFrom
Type
datetime
Description
Return signals with a report date starting from the supplied value (max 30 days ago)
Results will be sorted ascending by report date.

Optional attributes

Name
abuseType
Type
string
Description
Filter the results to the supplied abuse types (comma separated) from the following list
e.g. phishing,malware
Loading options....

Name
signalType
Type
string
Description
Filter the results to the supplied signal types (comma separated) from the following list
e.g. url,hostname
Loading options....

Name
source
Type
string
Description
A valid source key referring to one of the sources activated in your account.
e.g. urlhaus,cda

Name
status
Type
string
Description
Filter the results to the supplied statuses (comma seperated) from the following list
e.g. new,feedback_mitigation
Loading options....

Name
predictive
Type
boolean
Description
Filter the results to either predictive / non-predictive results only
Either 1 or 0

Name
limit
Type
integer
Description
Limit the number of results to the supplied number
Defaults to 50. Max 10000

Name
offset
Type
integer
Description
Offset the results by the supplied number
Defaults to 0

Response Attributes

Name
id
Type
number
Description
Unique identifier for the record.

Name
signal
Type
string
Description
The suspicious URL or signal
(e.g., a phishing URL)

Name
source
Type
string
Description
Source that reported the signal
(e.g., a threat intel provider)

Name
signal_type
Type
string
Description
Type of signal
Type of signal (url, ip, domain, etc.)
Loading options....

Name
abuse_type
Type
string
Description
Type of malicious activity.
eg. phishing, malware.
Loading options....

Name
report_date
Type
string (datetime)
Description
Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS

Name
import_date
Type
string (datetime)
Description
Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.

Name
predictive
Type
boolean
Description
Whether the signal was generated by predictive analysis. "1" = true ,"0" = false

Name
confidence_score
Type
number
Description
Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95

Name
status
Type
string
Description
Current status of the signal
e.g. new, feedback_mitigation
Loading options....

Name
extra_data
Type
object
Description
An optional extra data field to further qualify the signal according to it's status:

For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal

For feedback status signals this will be a copy of the feedback report received for the signal

Request

GET · /30day

curl -G https://signals.gse.live/feed/30day \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d idFrom=[[value]] \
-d reportDateFrom=[[value]] \
-d abuseType=[[value]] \
-d signalType=[[value]] \
-d source=[[value]] \
-d status=[[value]] \
-d predictive=[[value]] \
-d limit=[[value]] \
-d offset=[[value]] \

Response

[
  {
    "id": 100,
    "signal": "https://somesignal.com",
    "source": "Phishing Provider",
    "signal_type": "url",
    "abuse_type": "phishing",
    "report_date": "2020-01-23 14:24:06",
    "import_date": "2024-11-26 15:27:02",
    "predictive": 1,
    "confidence_score": 95,
    "status": "new",
    "extra_data": {"category": "internal", "report_type": "form_submission"}
  },
  // ...
]

GET https://signals.gse.live/feed/source

All Signals By Source

All historical signals for a single source - designed for historical or complete ingestion of a single GSE source.

Request Attributes

Required attributes

Name
source
Type
string
Description
e.g. cda, google etc.

Optional attributes

Name
idFrom
Type
number
Description
Signal ID from which to return data from for the supplied source

Response Attributes

Name
id
Type
number
Description
Unique identifier for the record.

Name
signal
Type
string
Description
The suspicious URL or signal
(e.g., a phishing URL)

Name
source
Type
string
Description
Source that reported the signal
(e.g., a threat intel provider)

Name
signal_type
Type
string
Description
Type of signal
Type of signal (url, ip, domain, etc.)
Loading options....

Name
abuse_type
Type
string
Description
Type of malicious activity.
eg. phishing, malware.
Loading options....

Name
report_date
Type
string (datetime)
Description
Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS

Name
import_date
Type
string (datetime)
Description
Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.

Name
predictive
Type
boolean
Description
Whether the signal was generated by predictive analysis. "1" = true ,"0" = false

Name
confidence_score
Type
number
Description
Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95

Name
status
Type
string
Description
Current status of the signal
e.g. new, feedback_mitigation
Loading options....

Name
extra_data
Type
object
Description
An optional extra data field to further qualify the signal according to it's status:

For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal

For feedback status signals this will be a copy of the feedback report received for the signal

Request

GET · /source

curl -G https://signals.gse.live/feed/source \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d source=[[value]] \
-d idFrom=[[value]] \

Response

[
  {
    "id": 100,
    "signal": "https://somesignal.com",
    "source": "Phishing Provider",
    "signal_type": "url",
    "abuse_type": "phishing",
    "report_date": "2020-01-23 14:24:06",
    "import_date": "2024-11-26 15:27:02",
    "predictive": 1,
    "confidence_score": 95,
    "status": "new",
    "extra_data": {"category": "internal", "report_type": "form_submission"}
  },
  // ...
]

GET https://signals.gse.live/feed/sources

Account Activated Sources

A list of all of the sources which have been activated on your account. This includes all sources which have been granted to you centrally by the GSE and any sources which have been shared with you via Group Sharing.

Response Attributes

Name
source_key
Type
string
Description
The key for the source

Name
source_name
Type
string
Description
The name for the source

Name
involved_groups
Type
string
Description
A comma separated list of group names from which this source has been shared (if applicable) - otherwise this field will be null.

Request

GET · /sources

curl -G https://signals.gse.live/feed/sources \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \

Response

[
  {
    "source_key": ""cda"",
    "source_name": ""Cyber Defence Alliance"",
    "involved_groups": ""First Group, Second Group""
  },
  // ...
]

GEThttps://signals.gse.live/feed/log

Signal Log

All signal entries received for a given signal, ordered by id

Request Attributes

Required attributes

Name
signal
Type
string
Description
The signal for which the log is to be generated.
e.g. mydomain.com, https://helloworld.com

Response Attributes

Name
id
Type
number
Description
Unique identifier for the record.

Name
signal
Type
string
Description
The suspicious URL or signal
(e.g., a phishing URL)

Name
source
Type
string
Description
Source that reported the signal
(e.g., a threat intel provider)

Name
signal_type
Type
string
Description
Type of signal
Type of signal (url, ip, domain, etc.)
Loading options....

Name
abuse_type
Type
string
Description
Type of malicious activity.
eg. phishing, malware.
Loading options....

Name
report_date
Type
string (datetime)
Description
Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS

Name
import_date
Type
string (datetime)
Description
Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.

Name
predictive
Type
boolean
Description
Whether the signal was generated by predictive analysis. "1" = true ,"0" = false

Name
confidence_score
Type
number
Description
Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95

Name
status
Type
string
Description
Current status of the signal
e.g. new, feedback_mitigation
Loading options....

Name
extra_data
Type
object
Description
An optional extra data field to further qualify the signal according to it's status:

For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal

For feedback status signals this will be a copy of the feedback report received for the signal

Request

GET · /log

curl -G https://signals.gse.live/feed/log \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d signal=[[value]] \

Response

[
  {
    "id": 100,
    "signal": "https://somesignal.com",
    "source": "Phishing Provider",
    "signal_type": "url",
    "abuse_type": "phishing",
    "report_date": "2020-01-23 14:24:06",
    "import_date": "2024-11-26 15:27:02",
    "predictive": 1,
    "confidence_score": 95,
    "status": "new",
    "extra_data": {"category": "internal", "report_type": "form_submission"}
  },
  // ...
]

GETDeprecated https://signals.gse.live/feed/all

All Reported Signals

All signals made available to you from reported threat feeds on the GSE

Request Attributes

Either attributes (one must be supplied)

Name
idFrom
Type
integer
Description
Return signals starting from the supplied value (max 30 days ago)
Results will be sorted ascending by id

Name
reportDateFrom
Type
datetime
Description
Return signals with a report date starting from the supplied value (max 30 days ago)
Results will be sorted ascending by report date.

Optional attributes

Name
abuseType
Type
string
Description
Filter the results to the supplied abuse types (comma separated) from the following list
e.g. phishing,malware
Loading options....

Name
signalType
Type
string
Description
Filter the results to the supplied signal types (comma separated) from the following list
e.g. url,hostname
Loading options....

Name
source
Type
string
Description
A valid source key referring to one of the sources activated in your account.
e.g. urlhaus,cda
Loading options....

Name
status
Type
string
Description
Filter the results to the supplied statuses (comma seperated) from the following list
e.g. new,feedback_mitigation
Loading options....

Name
predictive
Type
boolean
Description
Filter the results to either predictive / non-predictive results only
Either 1 or 0

Name
limit
Type
integer
Description
Limit the number of results to the supplied number
Defaults to 50. Max 10000

Name
offset
Type
integer
Description
Offset the results by the supplied number
Defaults to 0

Response Attributes

Name
id
Type
number
Description
Unique identifier for the record.

Name
signal
Type
string
Description
The suspicious URL or signal
(e.g., a phishing URL)

Name
source
Type
string
Description
Source that reported the signal
(e.g., a threat intel provider)

Name
signal_type
Type
string
Description
Type of signal
Type of signal (url, ip, domain, etc.)
Loading options....

Name
abuse_type
Type
string
Description
Type of malicious activity.
eg. phishing, malware.
Loading options....

Name
report_date
Type
string (datetime)
Description
Date and time the threat was first reported
format: YYYY-MM-DD HH:MM:SS

Name
import_date
Type
string (datetime)
Description
Date and time the signal was imported into the system.
format: YYYY-MM-DD HH:MM:SS.

Name
predictive
Type
boolean
Description
Whether the signal was generated by predictive analysis. "1" = true ,"0" = false

Name
confidence_score
Type
number
Description
Confidence level of the threat detection. This is supplied by the feed provider to further qualify the confidence of signal.
e.g. 95

Name
status
Type
string
Description
Current status of the signal
e.g. new, feedback_mitigation
Loading options....

Name
extra_data
Type
object
Description
An optional extra data field to further qualify the signal according to it's status:

For signals with a status of new if supplied, this will be a vendor specific object containing additional data to further qualify the signal

For feedback status signals this will be a copy of the feedback report received for the signal

Request

GET · /all

curl -G https://signals.gse.live/feed/all \
-H "API-KEY: YOUR-API-KEY-HERE" \
-H "API-SECRET: YOUR-API-SECRET-HERE" \ \
-d idFrom=[[value]] \
-d reportDateFrom=[[value]] \
-d abuseType=[[value]] \
-d signalType=[[value]] \
-d source=[[value]] \
-d status=[[value]] \
-d predictive=[[value]] \
-d limit=[[value]] \
-d offset=[[value]] \

Response

[
  {
    "id": 100,
    "signal": "https://somesignal.com",
    "source": "Phishing Provider",
    "signal_type": "url",
    "abuse_type": "phishing",
    "report_date": "2020-01-23 14:24:06",
    "import_date": "2024-11-26 15:27:02",
    "predictive": 1,
    "confidence_score": 95,
    "status": "new",
    "extra_data": {"category": "internal", "report_type": "form_submission"}
  },
  // ...
]

Prev Next