Search API
/file/treeview
The Search API endpoint /file/treeview was added in June 2025. It returns a JSON array of items that represent the data visualized in the “Tree View” to intelx.io end-users. Essentially, this returns a list of other items linked to a given item. Intelligence X links related items such as,
- Stealer Logs that contain a collection of files in a single container file (typically a ZIP or RAR file)
- Other container files that represent a single leak
- Large files that are broken up into multiple files
- Archived website copies (different URLs) to a single domain
- Archived website copies (different historical copies of the same URL) to a single URL
This endpoint is only available to users with a valid API, Identity, or Enterprise license.
The required parameters for the request are:
GET /file/treeview?storageid=[storage identifier]&bucket=[bucket]
GET /file/treeview?systemid=[system ID]&bucket=[bucket]
To use this endpoint, it requires as input either:
- The System ID in the
systemid=parameter to specify the item which Tree View data shall be returned. - The Storage ID in the
storageid=parameter of the actual Tree View file. This is the same identifier that is returned in the search results from the/intelligent/search/resultendpoint in the fieldindexfile. This is the preferred way.
The bucket= parameter is required to specify the bucket of the item (which is again available in the search result data).
The result is a JSON encoded array of items that are linked to the original item. Note that only the following fields are populated (the others are empty and not used): systemid, name, date, media, type, size
Full sample requests and response:
https://2.intelx.io/file/treeview?bucket=darknet.tor&systemid=e3abda9e-1131-4e01-b8b8-007a5ba4c506
https://2.intelx.io/file/treeview?bucket=darknet.tor&storageid=3306966f477a4d65321670148a59b83b37779617b1a6427d1ae4c0b6e6d8d96808675d68fa79cc8f20a1a89abf7ab99ac1711a79e43a7596dead85ae78f76005
[
{
"systemid": "d102e792-942d-442c-9d55-9f95e3a03f1c",
"owner": "00000000-0000-0000-0000-000000000000",
"storageid": "",
"instore": true,
"size": 0,
"accesslevel": 0,
"type": 1004,
"media": 14,
"added": "0001-01-01T00:00:00Z",
"date": "2017-11-21T14:28:42Z",
"name": "https://www.nytimes3xbfgragh.onion/2017/11/03/world/europe/spain-catalonia-puigdemont-warrant.html",
"description": "",
"xscore": 0,
"simhash": 0,
"bucket": "",
"keyvalues": [
{
"key": "Title",
"value": ""
},
{
"key": "First Alive",
"value": "2017-11-26 03:59:34"
},
{
"key": "Last Alive",
"value": "2022-01-03 21:09:27"
}
],
"tags": null,
"relations": null
}
]
/intelligent/search/export
Exports search results as either a CSV summary or a ZIP archive. This endpoint requires the Search ID returned by /intelligent/search.
GET /intelligent/search/export?id=[search id]&f=[format]&l=[optional limit]
Parameters
| Parameter | Required | Description |
|---|---|---|
id |
Yes | The Search ID obtained from /intelligent/search. |
f |
Yes | Export format (see table below). |
l |
No | Result limit. Defaults to 1000. A hard cap applies (see Export Limits). |
Formats
| Format | Description |
|---|---|
0 |
CSV summary file. |
1 |
ZIP archive containing the CSV summary (Info.csv) and binary files named [system ID].bin. Export limits apply. |
Response
| Condition | HTTP Status | Notes |
|---|---|---|
| Successful export | 200 OK | Response contains the file. The Content-Disposition header includes a suggested filename such as Search [Date].csv. |
| Search ID not found | 204 No Content | No body returned. |
| Invalid input | 400 Bad Request | Typically due to missing or malformed parameters. |
CSV Summary Fields
The CSV summary contains the following columns:
NameDateBucketMediaContent TypeSizeSystem ID
/phonebook/search 🔒
Starts a phonebook search for domains, email addresses, or URLs. This endpoint is only available to paid users. This endpoint is used by phonebook.cz.
POST /phonebook/search
{
"term": "test.com",
"maxresults": 10000,
"target": 2,
"terminate": [
null
],
"timeout": 20
}
Target
Target is the output selector type to find.
| Value | Type | Description |
|---|---|---|
1 |
Domain | Search for domain names. |
2 |
Search for email addresses | |
3 |
URL | Search for URLs. |
Response
| Condition | HTTP Status | Notes |
|---|---|---|
| Successful search started | 200 OK | Response contains the search ID. |
| Invalid input | 400 Bad Request | Invalid JSON in request body. |
| Not authorized for buckets | 401 Unauthorized | API key lacks access to requested buckets. |
| No credits available | 402 Payment Required | Account has insufficient credits. |
To fetch the results, use /phonebook/search/result; this endpoint returns the found selectors in a JSON array, which contain the field selectortype which may be:
| Value | Type | Description |
|---|---|---|
| 1 | Email address | |
| 2 | Domain | Domain |
| 3 | URL | URL. Supported schemes may include http://, https://, ftp://, magnet: and others. |
| 23 | URL Query | URL including the query part such as ?id=12. |