Skip to main content
The indicator endpoint lets you retrieve data on indicator objects, including scan data, risk scoring, and contextual information.

What Indicators Represent

Indicators are the core intelligence objects used throughout Pulsedive. They form the foundation of enrichment, risk scoring, and threat intelligence analysis. Each indicator represents an observable artifact that has been processed and enriched through Pulsedive’s threat intelligence pipeline. When you submit an IOC (Indicator of Compromise) such as a suspicious domain or IP address, Pulsedive transforms it into an enriched indicator object with contextual intelligence. Indicators are enriched with:
  • Classification and risk information
  • Activity and status details
  • Associations with threats and feeds
  • Timestamps and historical context
  • Additional metadata specific to its type
Indicators enable consistent and repeatable intelligence across different data sources.

Retrieving an Indicator

Retrieve indicators by their ID or by their value. Retrieving an indicator by ID provides its latest properties, and historical data may be included when needed for long-term tracking or change analysis. Certain indicator types support a schema view, which returns the attribute categories relevant to that indicator type alongside the indicator data. Indicators often connect to other objects, such as threats, feeds, or related indicators. Retrieving links lets you explore these relationships and understand how the indicator fits into the broader intelligence graph. Links are useful when:
  • Pivoting across indicator relationships
  • Mapping related entities and campaigns
  • Identifying associations with known threats
Use links to start with one suspicious indicator and quickly map out active campaigns or threat infrastructure.

Getting Properties

Raw scan data observed first-hand is normalized and indexed as properties, which are structured data points that capture what Pulsedive has learned about an indicator. These properties accumulate over time as name-value pairs grouped by scan type, such as DNS records, WHOIS data, HTTP headers, SSL certificate details, and more. Each property is timestamped and flagged to indicate whether it represents the latest known value. You can request only the latest properties when you need focused insight, or include historical data to track how an indicator has changed over time.
Use historical properties to build timelines and understand how an indicator’s context or risk has evolved.