Flashpoint

the flashpoint connector enables users to integrate real time threat intelligence from various sources directly into their security automation workflows flashpoint delivers comprehensive threat intelligence that empowers organizations to understand and mitigate potential risks the flashpoint connector for swimlane turbine enables users to automate the retrieval of indicators, forum posts, and detailed reports, enhancing situational awareness and incident response capabilities by integrating with flashpoint, swimlane turbine users can streamline their security operations, reduce manual workload, and make informed decisions based on the latest intelligence, directly within their automated workflows prerequisites to effectively utilize the flashpoint connector within swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url endpoint for the flashpoint api token bearer token used for authenticating api requests capabilities this connector provides the following capabilities get forum posts get indicators of compromise get reports setup generate api token login to the fp tools with your individualized credentials click the settings icon on the upper right hand corner of the screen click enter credentials and enter your fp tools credentials if you do not see this section in your settings, confirm that you have api access your api token is now valid for api calls until you revoke it notes tasks that use the since and until input parameters accept the following formats most standard datetime formats will work you can also use a relative time period for example 5h indicates the previous five hours and +2d indicates the two following days valid units are; years(y), months(m), weeks(w), days(d), hours(h), minutes(m), seconds(s) configurations flashpoint http bearer authentication authenticates using bearer token such as a api key token, jwt etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get an indicator by id retrieve a specific indicator from flashpoint using its unique identifier endpoint url technical intelligence/v2/indicators/{{id}} method get input argument name type required description path parameters id string required the unique identifier of the indicator parameters sighting count integer optional maximum number of most recent sightings to return input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"sighting count" 100}} output parameter type description id string the unique identifier for this indicator within flashpoint's dataset type string defines what type of indicator this is (e g file, ipv4, url, etc ) value string the value of the indicator (e g a hash value, an ip address, a url, etc ) href string the url to the indicator's full context data entity type string the entity type of the object (e g indicator) score object the score of the indicator score value string the score tier of the indicator score last scored at \['string', 'null'] the date and time the indicator was last scored score raw score \['number', 'null'] the raw score of the indicator modified at string the date and time the indicator was last modified within flashpoint's dataset created at string the date and time the indicator was created within flashpoint's dataset last seen at string the date and time the indicator was last seen by related sources sort date string the date and time defaulted for sorting indicators this is the same value as last seen at platform urls object links to the indicator in various flashpoint platforms platform urls ignite string url endpoint for the request apt description \['string', 'null'] a description of the related threat actor, where available external references \['array', 'null'] a list of external references relating to the indicator hashes \['object', 'null'] hashes associated with the indicator, in the event that the indicator is a file if the indicator is not a file, this field will be null malware description \['string', 'null'] a description of the related malware family, where available mitre attack ids \['array', 'null'] a list of mitre att\&ck techniques associated with the indicator relationships \['object', 'null'] relationships to other entities sightings \['array', 'null'] a list of relevant sightings for the indicator latest sighting \['object', 'null'] the most recent sighting of the indicator total sightings \['integer', 'null'] the total number of sightings for the indicator historical tags array a list of all tags associated with the indicator, across all sightings output example {"id" "string","type" "string","value" "string","href" "string","entity type" "string","score" {"value" "string"},"modified at" "string","created at" "string","last seen at" "string","sort date" "string","platform urls" {"ignite" "string"},"hashes" {},"relationships" {"iocs" \[{}]},"latest sighting" {"id" "12345678 1234 1234 1234 123456789abc","href" "string","source" "string","sighted at" "string","tags" \["string"]},"historical tags" \[]} get forum posts retrieve forum posts matching specific search parameters from flashpoint endpoint url /api/v4/forums/posts method get input argument name type required description parameters limit integer optional the number of results to return per page parameters query string optional a search term ie threat parameters since string optional a timestamp ie 2019 10 01t16 58 00 +00 00 parameters until string optional a timestamp ie 2019 10 01t16 58 00 +00 00 input example {"parameters" {"limit" 20,"query" "string","since" "string","until" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response response body string request body data response thread string output field response thread response forum string output field response forum response author string output field response author response url string url endpoint for the request response native id string unique identifier response published at string output field response published at response legacy id string unique identifier response reply number string output field response reply number response platform url string url endpoint for the request response id string unique identifier response room string output field response room output example {"status code" 200,"reason" "ok","headers"\ null,"response" {"body" "body","thread" "thread","forum" "forum","author" "author","url" "url","native id" "native id","published at" "published at","legacy id" "legacy id","reply number" "reply number","platform url" "platform url","id" "id","room" "room"}} get iocs retrieve indicators of compromise from flashpoint based on specified search parameters endpoint url /api/v4/indicators/attribute method get input argument name type required description parameters limit integer optional the number of results to return per page parameters query string optional a search term ie threat parameters since string optional a timestamp ie 2019 10 01t16 58 00 +00 00 parameters until string optional a timestamp ie 2019 10 01t16 58 00 +00 00 input example {"parameters" {"limit" 20,"query" "string","since" "string","until" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response response category string output field response category response uuid string unique identifier response event id string unique identifier response timestamp string output field response timestamp response header source string output field response header source response basetypes array type of the resource response fpid string unique identifier response value string value for the parameter response header ingested at string output field response header ingested at response header observed at string output field response header observed at response type string type of the resource response header indexed at string output field response header indexed at response header is visible boolean output field response header is visible output example {"status code" 200,"reason" "ok","headers"\ null,"response" {"category" "category","uuid" "uuid","event id" "event id","timestamp" "timestamp","header source" "header source","basetypes" \["basetypes"],"fpid" "fpid","value" "value","header ingested at" "header ingested at","header observed at" "header observed at","type" "type","header indexed at" "header indexed at","header is visible"\ false}} get reports retrieves flashpoint reports using specified search parameters to deliver relevant threat intelligence data endpoint url /api/v4/reports method get input argument name type required description parameters limit integer optional the number of results to return per page parameters query string optional a search term ie threat parameters since string optional a timestamp ie 2019 10 01t16 58 00 +00 00 parameters until string optional a timestamp ie 2019 10 01t16 58 00 +00 00 input example {"parameters" {"limit" 20,"query" "string","since" "string","until" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response response asset ids string unique identifier response notified at string output field response notified at response updated at string output field response updated at response published status string status value response id string unique identifier response sources original array output field response sources original response tags array output field response tags response title string output field response title response posted at string output field response posted at response version posted at string output field response version posted at response ingested at string output field response ingested at response body string request body data response platform url string url endpoint for the request response is featured boolean output field response is featured response title asset id string unique identifier response summary string output field response summary output example {"status code" 200,"reason" "ok","headers"\ null,"response" {"asset ids" "asset ids","notified at" "notified at","updated at" "updated at","published status" "published status","id" "id","sources original" \["sources original"],"tags" \["tags"],"title" "title","posted at" "posted at","version posted at" "version posted at","ingested at" "ingested at","body" "body","platform url" "platform url","is featured"\ false,"title asset id" "title asset id"}} list indicators retrieve a list of indicators from flashpoint, providing insights into potential threats and malicious activities endpoint url technical intelligence/v2/indicators method get input argument name type required description parameters size number optional maximum number of records to return parameters from number optional the initial index from which to return the results parameters ioc value string optional plain text string to match against indicator values supports partial matching parameters cidr range string optional cidr range to match against ipv4 or ipv6 indicator values parameters has intel report boolean optional flag to filter indicators that have an associated intelligence report parameters has extracted config boolean optional flag to filter indicators that have an associated extracted configuration parameters sort string optional defines which date time field and direction to sort response records parameters include total count boolean optional flag to request the exact count of records that match the query important this will increase the response time for large result sets parameters max score string optional filter indicators by their maximum score tier parameters min score string optional filter indicators by their minimum score tier parameters ioc types array optional a comma delimited list of values to match against indicator types parameters tags array optional a comma delimited list of values to match against indicator tags must be exact tag matches parameters mitre attack ids array optional a comma delimited list of values to match against mitre att\&ck ids parameters embed array optional a comma delimited list of fields to embed in the response note a maximum of 500 records can be requested when including embed options all, mitre attack ids, external references, apt description, malware description, related iocs parameters actors array optional a comma delimited list of values to match against actor tags must be exact tag matches inclusion of the actor prefix is optional parameters malware array optional a comma delimited list of values to match against malware tags must be exact tag matches inclusion of the malware prefix is optional parameters sources array optional a comma delimited list of values to match against source tags must be exact tag matches inclusion of the source prefix is optional parameters last seen after string optional include indicators last seen on or after this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters last seen before string optional include indicators last seen before this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters modified after string optional include indicators modified on or after this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters modified before string optional include indicators modified before this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters created after string optional include indicators created on or after this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters created before string optional include indicators created before this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters last scored after string optional include indicators last scored on or after this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings parameters last scored before string optional include indicators last scored before this date supports absolute datetime strings in iso 8601/rfc 3339 format and relative datetime strings input example {"parameters" {"size" 10,"from" 0,"ioc value" "192 168 1 0","cidr range" "192 168 1 0/24","has intel report"\ false,"has extracted config"\ false,"sort" "last seen at\ desc","include total count"\ false,"max score" "max","min score" "min","ioc types" \["type1","type2","type3"],"tags" \["tag1","tag2","tag3"],"mitre attack ids" \["id1","id2","id3"],"embed" \["all","mitre attack ids","external references","apt description","malware description","related iocs"],"actors" \["actor1","actor2","actor3"],"malware" \["malware one","malware two","malware three"],"sources" \["source one","source two","source three"],"last seen after" "2025 12 10t07 34 00z","last seen before" "2025 12 10t07 34 00z","modified after" "2025 12 10t07 34 00z","modified before" "2025 12 10t07 34 00z","created after" "2025 12 10t07 34 00z","created before" "2025 12 10t07 34 00z","last scored after" "2025 12 10t07 34 00z","last scored before" "2025 12 10t07 34 00z"}} output parameter type description items array a list of indicator objects items id string the unique identifier for this indicator within flashpoint's dataset items type string defines what type of indicator this is (e g file, ipv4, url, etc ) items value string the value of the indicator (e g a hash value, an ip address, a url, etc ) items href string the url to the indicator's full context data items entity type string the entity type of the object (e g indicator) items score object the score of the indicator items score value string the score tier of the indicator items score last scored at \['string', 'null'] the date and time the indicator was last scored items score raw score \['number', 'null'] the raw score of the indicator items modified at string the date and time the indicator was last modified within flashpoint's dataset items created at string the date and time the indicator was created within flashpoint's dataset items last seen at string the date and time the indicator was last seen by related sources items sort date string the date and time defaulted for sorting indicators this is the same value as last seen at items platform urls object links to the indicator in various flashpoint platforms items platform urls ignite string url endpoint for the request items apt description \['string', 'null'] a description of the related threat actor, where available items external references \['array', 'null'] a list of external references relating to the indicator items hashes \['object', 'null'] hashes associated with the indicator, in the event that the indicator is a file if the indicator is not a file, this field will be null items malware description \['string', 'null'] a description of the related malware family, where available items mitre attack ids array a list of mitre att\&ck techniques associated with the indicator items mitre attack ids id string unique identifier items mitre attack ids name string unique identifier items mitre attack ids tactics array a list of tactics associated with the mitre att\&ck technique items mitre attack ids tactic \['string', 'null'] the tactic of the mitre att\&ck technique (deprecated in favor of tactics ) output example {"items" \[],"total" {},"pagination" {}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt