Request
POST /v1/search/file · Required scope: search:file (pro and ultra tiers)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
file_name | string | Yes | — | Filename or partial filename to search for (substring match), max 200 chars, e.g. "seed.txt" |
start_date | string (date-time) | null | No | — | Inclusive start filter, clamped by query_window_days |
end_date | string (date-time) | null | No | — | Inclusive end filter |
sort_by | infection_date | date_uploaded | No | infection_date | Field to sort on |
sort_direction | asc | desc | No | desc | Must stay constant across pages |
cursor | string | null | No | — | Pagination token |
limit | integer | No | 25 | 1–500, clamped to your tier’s max_rows |
Example request
Response
200 OK — array of FileSearchResult, cursor-paginated.
| Field | Description |
|---|---|
stealer_id | log_victim_id of the infected machine |
victim_id | SHA-256 victim ID — use with Victim Profiles |
original_path | Full path on the victim’s disk |
filename | Filename, e.g. wallet.txt |
ip | Source IP of the infected machine |
country | ISO 3166-1 alpha-2 |
stealer_family | |
infection_date | When the log was captured |
Pagination
Cursor-paginated — see Pagination.Errors
| Status | code | Cause |
|---|---|---|
| 400 | VALIDATION_ERROR | file_name is missing or exceeds 200 characters |
| 400 | INVALID_CURSOR | Tampered or stale cursor |
| 403 | FORBIDDEN_SCOPE | Key lacks search:file |
Tier notes
This endpoint requiressearch:file, which is not included on the free
tier — a free-tier key receives 403 FORBIDDEN_SCOPE. Pro and ultra keys
both receive original_path, filename, and ip unmasked (the
Data Masking free-tier rules for these fields never apply
here, since free tier cannot call this endpoint at all).