Overview
API Concepts Manage API Key
Internet Data
DNSIQ® WHOISIQ™ SSL Certificates Blacklist Lookup Host Attributes
Attack Analytics
Newly Observed Domains Newly Observed Hosts Malware Phishing Scam Content
Digital Footprint
Global Inventory API Global Inventory Schema
Coming Soon
Enrich
PassiveTotal
Actions Artifact Enrichment Exposed Services Monitor Project SSL Certificates Tag Artifact Trackers Host Attributes Passive DNS Whois Bulk Enrichment
Additional Resources
Workspace Management API
RiskIQ.com

Actions

 

What It Looks Like

Add Tags

Adds tags to a given artifact.

Parameters

Field Field Type Description
queryString artifact for which to add tags
tagsString[] tags to add to artifact

JSON Request

{
    "query": "04zyp.trudemocracy.com",
    "tags": [
    "crimeware",
    "exploit kit",
    "rig"
    ]
}
        

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/tags' -XPOST -H "Content-Type: application/json" --data '{"query": "04zyp.trudemocracy.com", "tags": ["rig", "crimeware", "exploit kit"]}'

Sample Response

{
   "tags": [
   "crimeware",
   "exploit kit",
   "rig"
   ]
}
			

Delete Tags

Removes tags from an artifact.

Parameters

Field Field Type Description
queryString artifact for which to add tags
tagsString[] tags to add to artifact

JSON Request

{
    "query": "04zyp.trudemocracy.com",
    "tags": [
    "exploit kit",
    "rig"
   ]
}
            

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/tags' -XDELETE -H "Content-Type: application/json" --data '{"query": "04zyp.trudemocracy.com", "tags": ["rig", "exploit kit"]}'

Sample Response

{
   "tags": [
   "crimeware"
   ]
}
           

Get Bulk Classification Status

Retrieve classification statuses for given domains.

Parameters

Field Field Type Description
queryString[] domains for which to retrieve classification statuses

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/bulk/classification?query=04zyp.trudemocracy.com,riskiq.net'

Sample Response

{
    "success": true,
    "results": {
    "04zyp.trudemocracy.com": {
        "classification": "malicious"
        }
        "riskiq.net": {
        "classification": ""
        }
    }
}
			

Get Classification Status

Retrieve classification status for a given domain.

Parameters

Field Field Type Description
queryString domain for which to retrieve classification status

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/classification?query=04zyp.trudemocracy.com'

Sample Response

{
    "classification": "malicious"
}
			

Get Compromised Status

Indicates whether or not a given domain has ever been compromised.

Parameters

Field Field Type Description
queryString domain to check for compromised status

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/ever-compromised?query=riskiq.net'

Sample Response

{
    "everCompromised": false
}
			

Get Dynamic DNS Status

Indicates whether or not a domain's DNS records are updated via dynamic DNS.

Parameters

Field Field Type Description
queryString domain for which to retrieve dynamic DNS status

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/dynamic-dns?query=riskiq.net'

Sample Response

{
    "dynamicDns": false
}
			

Get Monitor Status

Indicates whether or not a domain is monitored.

Parameters

Field Field Type Description
queryString domain for which to check for monitoring

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/monitor?query=riskiq.net'

Sample Response

{
    "monitor": true
}
			

Get Sinkhole Status

Indicates whether or not an IP address is a sinkhole.

Parameters

Field Field Type Description
queryString IP address to check for sinkhole status

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/sinkhole?query=52.8.228.23'

Sample Response

{
    "sinkhole": false
}
			

Get Tags

Retrieves tags for a given artifact.

Parameters

Field Field Type Description
queryString artifact for which to retrieve tags

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/tags?query=04zyp.trudemocracy.com'

Sample Response

{
    "tags": [
        "crimeware",
        "exploit kit",
        "rig"
    ]
}
			

Search Tags

Retrieve artifacts for a given tag.

Parameters

Field Field Type Description
queryString tag for which to retrieve artifacts

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/tags/search?query=rig'

Sample Response

{
    "results": [
        {
            "focus": "hmknfv.top",
            "user_tags": [
                "crimeware",
                "exploit kit",
                "rig"
            ],
            "system_tags": [
                "known_compromise",
                "registered"
            ],
            "tags": [
                "crimeware",
                "exploit kit",
                "known_compromise",
                "registered",
                "rig"
            ],
            "tag_meta": {},
            "username": "lou.manousos@riskiq.net"
        },
        ...
    ]
}
			

Set Bulk Classification Status

Set classification statuses for given domains.

Parameters

Field Field Type Description
queryString[] domains for which to set classification statuses

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/bulk/classification?queries=04zyp.trudemocracy.com,bad.net&classification=malicious'

Sample Response

{
    "classification": "malicious",
}
			

Set Classification Status

Sets the classification status for a given domain.

Parameters

Field Field Type Description
queryString domain for which to set classification status
classificationString classification status to set for domain
Allowed Values: malicious, suspicious, non-malicious, unknown

JSON Request

{
    "query": "04zyp.trudemocracy.com",
    "classification": "malicious"
}
            

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/classification' -XPOST -H "Content-Type: application/json" --data '{"query": "04zyp.trudemocracy.com", "classification": "malicious"}'

Sample Response

{
    "classification": "malicious"
}
			

Set Compromised Status

Sets status for a domain to indicate if it has ever been compromised.

Parameters

Field Field Type Description
queryString domain for which to set compromised status
statusBoolean if the domain has ever been compromised

Curl Example

$ curl -u $USERNAME:$KEY https://api.riskiq.net/pt/v2/actions/ever-compromised?query=riskiq.net

Sample Response

{
    "everCompromised": false
}
			

Set Dynamic DNS Status

Sets a domain's status to indicate whether or not its DNS records are updated via dynamic DNS.

Parameters

Field Field Type Description
queryString domain for which to set dynamic DNS status
statusBoolean if the domain's DNS records are updated via dynamic DNS

JSON Request

{
    "query": "riskiq.net",
    "status": false
}
            

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/dynamic-dns' -XPOST -H "Content-Type: application/json" --data '{"query": "riskiq.net", "status": false}'

Sample Response

{
    "dynamicDns": false
}
			

Set Sinkhole Status

Sets status for an IP address to indicate whether or not it is a sinkhole.

Parameters

Field Field Type Description
queryString IP address for which to set sinkhole status
statusBoolean if the IP address is a sinkhole

JSON Request

{
    "query": "52.8.228.23",
    "status": true
}
            

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/sinkhole' -XPOST -H "Content-Type: application/json" --data '{"query": "52.8.228.23", "status": true}'

Sample Response

{
    "sinkhole": false
}
			

Set Tags

Adds tags to a given artifact.

Parameters

Field Field Type Description
queryString artifact for which to set tags
tagsString[] tags to set for artifact

JSON Request

{
    "query": "04zyp.trudemocracy.com",
    "tags": [
        "crimeware",
        "exploit kit",
        "rig"
    ]
}
        

Curl Example

$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/actions/tags' -XPUT -H "Content-Type: application/json" --data '{"query": "04zyp.trudemocracy.com", "tags": ["rig", "crimeware", "exploit kit"]}'

Sample Response

{
    "tags": [
        "crimeware",
        "exploit kit",
        "rig"
    ]
}