Overview
API Concepts Manage API Key
Internet Data
DNSIQ® WHOISIQ™ SSL Certificates Blacklist Lookup Host Attributes
Attack Analytics
Newly Observed Domains Newly Observed Hosts Malware Phishing Scam Content
Digital Footprint
Global Inventory API Global Inventory Schema Risk Metric Schema Workspace Management API
Coming Soon
Enrich
PassiveTotal
Getting Started Actions Artifact Articles Attack Surface Intelligence Intel Profiles Data Card Enrichment Services Monitor Project SSL Certificates Tag Artifact Trackers Host Attributes Cookies Components Passive DNS Whois Bulk Enrichment Reputation Vulnerability Intelligence
RiskIQ.com

Welcome

Welcome to the RiskIQ Security Intelligence Services interactive website. From here you can explore our APIs, no sign-up or account required.

Each of our security intelligence services has its own webpage (see the left-hand menu for navigation) with documentation on how the dataset can be used, what the data actually looks like, and how you can programmatically interact with our APIs. Using our online API explorer, you can make real API calls and see real results.

API Keys and Authentication

Usage of these APIs beyond the free-tier access provided on this webpage requires an API Key from RiskIQ. Once you have one, you can configure this website to use it by setting the API Key and API Secret in the API Key section of the webpage menu.

To make production API calls, you will need to include an Authorization header with the value "Basic $ENCODED_KEY$" where the value of $ENCODED_KEY$ is the base-64 encoded concatenation of your api key, a colon, and your api secret. The following shell script shows how one might do this: 

API_KEY="key1234"
API_SECRET="secret5678"
ENCODED_API_KEY=$(echo -n "$API_KEY:$API_SECRET" | base64)
curl -H "Authorization: Basic $ENCODED_API_KEY" 'https://api.riskiq.net/v0/whois/riskiq.net'

Rate Limits

API Calls made through this webpage are significantly rate-limited. Once you've registered, we will provide you with an API key that you can use for expanded access to the data sets available here.

URL Parameters

Please ensure all parameters are properly URL encoded.

Date Format and Time Zones

Except where otherwise noted, all dates are in ISO 8601 format, and all time zones are Pacific. Parts of api.riskiq.net (host attributes, SSL Certs, inventory) render dates as unix timestamps in milliseconds.

You may now control the format of dates via two headers. When these headers are specified, we try to adhere to the preferences specified in the header. The headers are as follows:

If X-RiskIQ-ISO is false, then dates are rendered as unix timestamps in milliseconds since 1970, in UTC timezone. The X-RiskIQ-TimeZone header is ignored.

If X-RiskIQ-ISO is true, then dates are rendered as ISO 8601 datetimes, with a default timezone of US/Pacific. If you specify the X-RiskIQ-TimeZone header we will use that timezone.

If X-RiskIQ-ISO is not set, then the various apis will use their default formatting- unix timestamps in some cases, and ISO 8601 datetimes in others.

API response date-time fields honoring the X-RiskIQ-ISO header are listed below

The following APIs on api.riskiq.net are known to support this header preference:

The following APIs on api.riskiq.net do not yet support this header preference:

None of the APIs on api.passivetotal.org support this at this time.

For example, to specify dates in ISO 8601 datetime format with UTC timezone, you would do the following: 

curl -Ss -X GET -H 'X-RiskIQ-ISO: true' -H 'X-RiskIQ-Timezone: UTC' 'https://api.riskiq.net/v0/pdns/name?name=api.riskiq.net&max=1' | jq .
{
  "recordCount": 1,
  "records": [
    {
      "count": 1,
      "firstSeen": "2020-01-16T01:32:04.000+0000",
      "lastSeen": "2020-01-16T01:32:04.000+0000",
      "name": "api.riskiq.net.",
      "data": [
        "52.27.109.4"
      ],
      "rrtype": "A"
    }
  ]
}

To see the same API response in unix timestamps: 

curl -Ss -X GET -H 'X-RiskIQ-ISO: false' 'https://api.riskiq.net/v0/pdns/name?name=api.riskiq.net&max=1' | jq .
{
  "recordCount": 1,
  "records": [
    {
      "count": 1,
      "firstSeen": 1579138324000,
      "lastSeen": 1579138324000,
      "name": "api.riskiq.net.",
      "data": [
        "52.27.109.4"
      ],
      "rrtype": "A"
    }
  ]
}

What is the difference between RiskIQ Security Intelligence Services and PassiveTotal?

We believe that these solutions are complementary. Security Intelligence Services provides direct, high volume access to RiskIQ data, allowing mature customers the ability to use this data to defend against threats to their environment. PassiveTotal provides RiskIQ customers the ability to investigate threat to their environment through a rich user interface; broad access to aggregated, curated, and interconnected data from both RiskIQ and partner sources; the ability to seamlessly pivot through these data sets; and robust integrations with third party security providers, bringing the PassiveTotal experience to security tools already deployed within your environment.