> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pulsedive.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Linked Indicators

> Retrieve indicators linked to a specific threat.

To create risk breakdowns, use the `summary` parameter with the `splitrisk` parameter. This will split out indicator counts by risk level.




## OpenAPI

````yaml /api/threat/threat-get-links.yaml get /api/threat.php
openapi: 3.0.3
info:
  title: Pulsedive API Reference
  version: 1.0.0
  description: >
    The Pulsedive API lets you programmatically manage resources within
    Pulsedive.

    Users can look up known indicators and threats, enrich and investigate
    indicators, query Pulsedive data, and automate workflows.


    Please report any discrepancies in API behavior to <a
    href="mailto:support@pulsedive.com">Pulsedive Support</a>.
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0.html
  contact:
    email: support@pulsedive.com
servers:
  - url: https://pulsedive.com
security: []
tags:
  - name: Threats
    description: Look up threats.
externalDocs:
  url: https://docs.pulsedive.com
paths:
  /api/threat.php:
    get:
      tags:
        - Threats
      summary: Get Linked Indicators
      description: >
        Retrieve indicators linked to a specific threat.


        To create risk breakdowns, use the `summary` parameter with the
        `splitrisk` parameter. This will split out indicator counts by risk
        level.
      operationId: getIndicatorSummary
      parameters:
        - $ref: '#/components/parameters/APIKey'
        - $ref: '#/components/parameters/ThreatID'
        - $ref: '#/components/parameters/Get'
        - $ref: '#/components/parameters/Summary'
        - $ref: '#/components/parameters/SplitRisk'
        - $ref: '#/components/parameters/Pretty'
      responses:
        '200':
          description: >-
            Successful request. Returns threat summary information in JSON
            format.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ThreatSummaryResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
        '429':
          $ref: '#/components/responses/TooManyRequests'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-codeSamples:
        - lang: curl
          label: Get Links
          source: |
            curl "https://pulsedive.com/api/threat.php?tid=1&get=links"
        - lang: curl
          label: Get Indicator Summary by Risk
          source: >
            curl
            "https://pulsedive.com/api/threat.php?threat=zeus&get=links&summary=1&splitrisk=1"            
components:
  parameters:
    APIKey:
      name: key
      in: query
      required: false
      description: >
        Your Pulsedive API key.


        API key authentication is optional. However, requests without a key have
        stricter rate limits. We recommend including an API key for better
        performance and reliability.
      schema:
        type: string
    ThreatID:
      name: tid
      in: query
      required: true
      description: |
        Unique identifier of the threat to retrieve.
      schema:
        type: string
        example: '1'
    Get:
      name: get
      in: query
      required: true
      description: >
        Indicates which data subset to retrieve. Options include:


        - `links`: Retrieves relationship data showing how the indicator
        connects to other objects.


        Large result sets are automatically paginated. To learn how to handle
        paginated responses, visit [Pagination](/api/pagination).
      schema:
        type: string
        enum:
          - links
    Summary:
      name: summary
      in: query
      description: |
        Summarize the data in the response.

        For summarized data, set to 1.
        For full results, set to 0.
      schema:
        type: integer
        enum:
          - 1
          - 0
        example: 1
    SplitRisk:
      name: splitrisk
      in: query
      description: |
        Split out indicator counts by risk level.

        For risk breakdown, set to 1.
        For non-aggregated results, set to 0.
      schema:
        type: integer
        enum:
          - 1
          - 0
        example: 1
    Pretty:
      name: pretty
      in: query
      required: false
      description: |
        Indicates whether to format returned JSON results.

        For pretty-printed output, set to `1`.
        For compact output, set to `0`.
      schema:
        type: integer
        enum:
          - 0
          - 1
        default: 0
      examples:
        compact:
          summary: Compact output
          value: 0
        pretty:
          summary: Pretty-printed output
          value: 1
  schemas:
    ThreatSummaryResponse:
      type: object
      properties:
        updated_last_domain:
          type: string
          format: sql-date-time
          pattern: ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$
          description: >
            Timestamp when the threat's last domain was updated. 24-hour format,
            UTC time zone.
          example: '2025-09-03 11:44:52'
          nullable: true
        attributes:
          type: object
          description: Indicator attributes with risk breakdowns.
          properties:
            technology:
              type: object
              description: Technologies identified with risk distributions.
              additionalProperties:
                type: object
                description: >
                  Dynamic keyed object representing a single technology and its
                  risk breakdown.


                  Each {key} represents the name of the technology.
                properties:
                  aid:
                    type: integer
                    description: Attribute identifier.
                    example: 16849789
                  indicators:
                    type: object
                    description: >
                      Count of indicators by risk level for this technology.


                      Consists of key-value pairs, where each key matches an
                      indicator risk level and its value contains the
                      corresponding count.
                    example:
                      unknown: 0
                      none: 4
                      low: 4
                      medium: 2
                      high: 0
                      critical: 0
                      total: 10
            hosttype:
              type: object
              description: Host types identified with risk distributions.
              additionalProperties:
                type: object
                description: >
                  Dynamic keyed object representing a single host type and its
                  risk breakdown.


                  Each {key} represents the name of the host type.
                properties:
                  aid:
                    type: integer
                    description: Attribute identifier.
                  indicators:
                    type: object
                    description: >
                      Count of indicators by risk level for this host type.


                      Consists of key-value pairs, where each key matches an
                      indicator risk level and its value contains the
                      corresponding count.
            protocol:
              type: object
              description: Protocols identified with risk distributions.
              additionalProperties:
                type: object
                description: >
                  Dynamic keyed object representing a single protocol and its
                  risk breakdown.


                  Each {key} represents the name of the protocol.
                properties:
                  aid:
                    type: integer
                    description: Attribute identifier.
                  indicators:
                    type: object
                    description: >
                      Count of indicators by risk level for this protocol.


                      Consists of key-value pairs, where each key matches an
                      indicator risk level and its value contains the
                      corresponding count.
            port:
              type: object
              description: Ports identified with risk distributions.
              additionalProperties:
                type: object
                description: >
                  Dynamic keyed object representing a single port and its risk
                  breakdown.


                  Each {key} represents the number of the port.
                properties:
                  aid:
                    type: integer
                    description: Attribute identifier.
                  indicators:
                    type: object
                    description: >
                      Count of indicators by risk level for this port.


                      Consists of key-value pairs, where each key matches an
                      indicator risk level and its value contains the
                      corresponding count.
        properties:
          type: object
          description: Additional properties.
        feeds:
          type: array
          description: Feeds associated with this threat with risk breakdowns.
          items:
            type: object
            properties:
              fid:
                type: integer
                description: Unique identifier of the feed.
              organization:
                type: string
                description: Organization associated with the feed.
              name:
                type: string
                description: Name of the feed.
              pricing:
                type: string
                description: Pricing tier of the feed.
                example: free
                nullable: true
              category:
                type: string
                description: Category assigned to the feed.
                example: malware
              indicators:
                type: object
                description: >
                  Count of indicators by risk level for this feed.


                  Consists of key-value pairs, where each key matches an
                  indicator risk level and its value contains the corresponding
                  count.
                example:
                  total: 39
                  low: 4
                  none: 3
                  high: 3
                  medium: 16
                  retired: 13
        risk:
          type: object
          description: >
            Count of indicators at each risk level for the threat.


            Consists of key-value pairs, where each key matches an indicator
            risk level and its value contains the corresponding count.
          example:
            unknown: 31
            low: 17
            medium: 20
            high: 5
            critical: 1
            retired: 874
            total: 1037
            none: 89
    ErrorResponse:
      type: object
      properties:
        error:
          type: string
          description: Message describing the error that occurred, if available.
  responses:
    BadRequest:
      description: |
        Bad request. The request was malformed or missing required parameters.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: |
        Unauthorized. Your API key is missing or invalid.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: |
        Not found. The requested threat could not be located.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    TooManyRequests:
      description: >
        Rate limit exceeded. Too many requests have been made in a short period
        of time.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: |
        Server error. An unexpected problem occurred on our end.
        These errors are automatically reported to our team.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'

````