Overview
API Concepts Manage API Key
Internet Data
DNSIQ® WHOISIQ™ SSL Certificates Blacklist Lookup Host Attributes
Attack Analytics
Newly Observed Domains Newly Observed Hosts Malware Phishing Scam Content
Digital Footprint
Global Inventory API Global Inventory Schema
Coming Soon
Enrich
PassiveTotal
Getting Started Actions Artifact Articles Attack Surface Intelligence Intel Profiles Data Card Enrichment Services Monitor Project SSL Certificates Tag Artifact Trackers Host Attributes Cookies Components Passive DNS Whois Bulk Enrichment Reputation
Additional Resources
Workspace Management API
RiskIQ.com

Intel Profiles

RiskIQs Cyber Threat Intelligence API helps security teams automate threat intelligence profiles into their SIEM and incident response platforms. These intelligence profiles are enriched with RiskIQs indicators and are built for seamless integration with existing workflows providing quick context and monitoring on known and active threat campaigns.
Using CTI API, threat hunters or analysts can return the list of all known intel profiles or even search for any given actor profile name and aliases.

 

What It Looks Like

Get Profile Details

Retrieves the details for the given profile.

Curl Example

# Get profile details
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles/apt33'

Response

{
    "id": "apt33",
    "title": "APT33",
    "link": "https://community.riskiq.com/intel-profiles/apt33",
    "osintIndicatorsCount": 429,
    "riskIqIndicatorsCount": 122,
    "indicators": "https://api.community.riskiq.com/v2/intel-profiles/apt33/indicators",
    "aliases": [
        "Elfin",
        "Holmium",
        "Cobalt Trinity"
    ],
    "tags": [
        {
            "label": "Espionage",
            "countryCode": null
        },
        {
            "label": "Sabotage",
            "countryCode": null
        },
        {
            "label": "Windows",
            "countryCode": null
        }
    ]
}
			

Get All Intel Profiles

Retrieves all profiles.
Types: actor, tool, backdoor

Curl Example

# Get all profiles
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles'
# Using query
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles?query=atp33'
# Using type
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles?type=actor'

Response

{
    "totalCount": 2,
    "results": [
        {
            "id": "apt33",
            "title": "APT33",
            "link": "https://community.riskiq.com/intel-profiles/apt33",
            "osintIndicatorsCount": 429,
            "riskIqIndicatorsCount": 122,
            "indicators": "https://api.community.riskiq.com/v2/intel-profiles/apt33/indicators",
            "aliases": [
                "Elfin",
                "Magnallium"
            ],
            "tags": [
                {
                    "label": "Espionage",
                    "countryCode": null
                },
                {
                    "label": "Sabotage",
                    "countryCode": null
                },
                {
                    "label": "Windows",
                    "countryCode": null
                }
            ]
        },
        {
            "id": "shadowpad",
            "title": "ShadowPad",
            "link": "https://community.riskiq.com/intel-profiles/shadowpad",
            "osintIndicatorsCount": 100,
            "riskIqIndicatorsCount": 50,
            "indicators": "https://api.community.riskiq.com/v2/intel-profiles/shadowpad/indicators",
            "aliases": [
                "SHADOWPAD"
            ],
            "tags": [
                {
                    "label": "Shadowpad",
                    "countryCode": null
                },
                {
                    "label": "POISONPLUG",
                    "countryCode": null
                },
                {
                    "label": "State Sponsored Usage: Axiom",
                    "countryCode": "cn"
                }
            ]
        }
    ]
}
			

Get All Indicators For Given Profile

Retrieves the indicators for the given profile id.

Curl Example

# Get all indicators for given profile
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles/apt33/indicators'
# Using all parameters
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles/apt33/indicators?page=1&size=100&types=domain&sources=osint&categories=host&query=37.48.67.58'

Response

{
    "totalCount": 3,
    "types": [
        "certificate_sha1",
        "domain",
        "email",
        "hash_md5",
        "hash_sha256",
        "ip",
        "pdb_path",
        "soa_email",
        "url",
        "whois_email"
    ],
    "results": [
        {
            "id": "60492b863b180694ecb1b8e9",
            "profileId": "apt33",
            "type": "whois_email",
            "value": "order396@yahoo.com",
            "category": "network",
            "firstSeen": "2014-07-23T14:23:00.201+0000",
            "lastSeen": "2018-05-21T18:24:51.201+0000",
            "osint": false,
            "osintUrl": null,
            "articleGuids": null
        },
        {
            "id": "60492b873b180694ecb1b8fc",
            "profileId": "apt33",
            "type": "ip",
            "value": "212.83.161.63",
            "category": "network",
            "firstSeen": "2018-02-28T21:33:39.201+0000",
            "lastSeen": "2019-04-08T15:03:57.201+0000",
            "osint": false,
            "osintUrl": null,
            "articleGuids": null
        },
        {
            "id": "60492b873b180694ecb1b8f9",
            "profileId": "apt33",
            "type": "url",
            "value": "hxxp://sabic.myftp.org/Sabic.hta",
            "category": "network",
            "firstSeen": "2016-12-30T14:05:12.201+0000",
            "lastSeen": "2017-01-02T09:04:29.201+0000",
            "osint": false,
            "osintUrl": null,
            "articleGuids": null
        }
    ]
}
			

Get All Profiles By Indicator

Retrieves all profiles containing the given indicator.

Curl Example

# Get profiles containing the specified query
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles/indicator?query=37.48.67.58'
# Using all parameters
$ curl -u $USERNAME:$KEY 'https://api.riskiq.net/pt/v2/intel-profiles/indicator?query=37.48.67.58&types=ip&sources=osint&categories=host'
            

Response

{
    "totalCount": 1,
    "results": [
        {
            "id": "apt33",
            "title": "APT33",
            "link": "https://community.riskiq.com/intel-profiles/apt33",
            "osintIndicatorsCount": 429,
            "riskIqIndicatorsCount": 122,
            "indicators": "https://api.community.riskiq.com/v2/intel-profiles/apt33/indicators",
            "aliases": [
                "Elfin",
                "Holmium",
                "Cobalt Trinity"
            ],
            "tags": [
                {
                    "label": "Espionage",
                    "countryCode": null
                },
                {
                    "label": "Sabotage",
                    "countryCode": null
                },
                {
                    "label": "Windows",
                    "countryCode": null
                }
            ]
        }
    ]
}