URL API: Linking a template
The magic happens when the URI API is used to enable users of web applications to jump into prebuilt investigations with just one click.
Consider the following URL for triggering a phone history check:
/pivot/template?investigation=453d190914cf9fa0&pivot[0][events][0][phone]=1.800.555.5555&time=1504401120.000&before=-1d&after=+1d&name=Phone-History-555-5555
This URL: Instantiates template `453d190914cf9fa0`, names it `Phone-History-555-5555`, overrides the global time range to center at `1504401120` (epoch time) and runs searches +/- 1 day from then. The first pivot will be populated with one record, and that record will have field `phone` mapped to the string `"1.800.555.5555"`.
| FIELD | OPTIONAL | DEFAULT | FORMAT | NOTES |
| investigation | required | ID | Get template ID from its URL. Ex: 453d190914cf9fa0 | |
| name | optional | "Copy of [template name]" | String | Recommend using a short standard pattern to group together ("[Phone History] ...") |
| time | optional | now | Number of string | Epoch time (number) or best-effort if not a number. Ex: 1504401120 |
| before | optional | -7d | [+/-][number][ms/s/min/h/d/w/mon/y] | Ex: -1d |
| after | optional | +0d | [+/-][number][ms/s/min/h/d/w/mon/y] | Ex: +3min |
| pivot | optional | see below | see below |
URL parameter `pivot` follows one of the two following formats:
- `[step][field]`b, e.g., `pivot[0][index]=index%3Dalerts`, the URI-encoded form of string `"index=alerts"`
- `[step][field][list_index][record_field]`, e.g., `pivot[0][events][0][phone]=1-800-555-5555` sets the first step's events to JSON list `[ {"phone": "1-800-555-5555"} ]`
You can therefore set or override most investigation step values, not just the first one. Likewise, if you want to trigger an investigation over multiple values, you can provide a list of them.