Threat Intelligence API
The API offers a detailed security evaluation, highlighting potential risks and delivering threat intelligence. It's an essential tool for augmenting your current security setup with our expert insights. With functionality mirroring our Lookup service, it seamlessly integrates into your security platform.
Subscription plans
The API offers four subscription plans: Core, Professional, Ultimate, and Enterprise. The output fields vary between these plans, with more fields being added from Core to Ultimate.
Additionally, the subscription plans differ in the number of requests allowed per day and minute. For a complete feature comparison of the plans, please refer to the pricing page.
The API response object
The following API response model describes all output fields across all subscription plans. To find out which fields are available in specific subscription plans, please refer to the sections below relevant to each subscription.
Attributes
- Name
firstSeen
- Type
- nullable
- timestamp
- Description
UNIX timestamp of the first detected threat activity from the IP address. This field has value only when the
verdict
field's value isThreat
; otherwise, it isnull
.
- Name
lastSeen
- Type
- nullable
- timestamp
- Description
UNIX timestamp of the last detected threat activity from the IP address. This field has value only when the
verdict
field's value isThreat
; otherwise, it isnull
.
- Name
verdict
- Type
- string
- Description
Classification of the IoC's associated threat type.
Possible values:
Threat
– Substantial evidence indicates that this IP should be regarded as a threat. Advised Action: Conduct a thorough investigation of the activities linked to this IP and consider implementing restrictions on its traffic.Benign
– This IP address poses no threat and is linked to a known service performing legitimate scans/crawls. Advised action: None needed. ThebenignInfrastructure
object contains the name, description, and references to the relevant benign service.Suspicious
– Multiple signals have been detected that suggest this IP is suspicious, yet there is no definitive proof to categorize it as a threat. Advised Action: Manually inspect the activities associated with this IP to assess potential risks.Unknown
– We haven't received any signals indicating that this IP poses a threat. Advised Action: Manually analyze the existing intelligence to determine its classification.
- Name
threatScore
- Type
- integer
- Description
Numerical score indicating the threat level of the IoC, ranging from
0
to100
. A score of0
means the IP address poses no threat, while a score of100
indicates high confidence in classifying it as a threat. This field has a positive value only when theverdict
field's value isThreat
orSuspicious
; otherwise, it is0
.
- Name
threatTypes
- Type
- nullable
- string[]
- Description
A list of threat types associated with the IoC. This field contains items only when the
verdict
field's value isThreat
; otherwise, it isnull
.Possible values:
null
– There are no threat types associated with this host.Attack
– Malicious activity detected from the host.C2
– The host is a known botnet's "Command and Control" server.Malware
– The host is related to malicious software distribution.Phishing
– The host is involved in phishing activity.Spam
– The host is engaged in sending spam.Suspicious
– Host activity hasn't been confirmed as malicious, but it remains suspicious. For example, it could involve a host scraping websites or sending a large number of ICMP queries.
- Name
location
- Type
- object
- Description
Geolocation of the IP address. Is omitted if data is unavailable.
- Name
location.country
- Type
- string
- Description
Country name.
- Name
location.region
- Type
- string
- Description
Region name.
- Name
location.city
- Type
- string
- Description
City name.
- Name
publicVPN
- Type
- object
- Description
Determines whether the IP address belongs to a public VPN and retrieves its name if applicable.
- Name
publicVPN.detected
- Type
- boolean
- Description
Indicates whether the IP address belongs to a public VPN.
- Name
publicVPN.name
- Type
- string
- Description
Name of the public VPN. Is omitted if data is unavailable.
- Name
torExitNode
- Type
- boolean
- Description
Indicates whether the IP address is a TOR exit node.
- Name
ptr
- Type
- object
- Description
Retrieves the PTR record for the IP address and the result of the reverse match check. Is omitted if data is unavailable.
- Name
ptr.value
- Type
- nullable
- string
- Description
PTR record value. If the IP address does not have a PTR record,
null
.
- Name
ptr.reverseMatch
- Type
- boolean
- Description
Indicates whether the A/AAAA record of the domain in the PTR record matches the original IP address.
- Name
knownIP
- Type
- object
- Description
Information on IP addresses linked to known internet services that are not anticipated to perform infrastructure scans or crawls. Is omitted if data is unavailable.
Examples: GitHub, GitLab, AWS CloudFront.
- Name
knownIP.name
- Type
- string
- Description
The name of the service associated with the IP address.
- Name
knownIP.description
- Type
- string
- Description
Description of the service, if applicable.
- Name
knownIP.references
- Type
- string[]
- Description
A list of links to resources that support the relationship between the IP address and the service, or provide additional context.
- Name
benignInfrastructure
- Type
- object[]
- Description
Details about IP addresses associated with known internet services expected to conduct legitimate infrastructure scans or crawls. This field is available only when the
verdict
field's value isBenign
. Is omitted if data is unavailable.Examples: Apple Bot, Facebook Bot, Google Bot.
- Name
benignInfrastructure.name
- Type
- string
- Description
The name of the service associated with the IP address.
- Name
benignInfrastructure.description
- Type
- string
- Description
Description of the service, if applicable.
- Name
benignInfrastructure.references
- Type
- string[]
- Description
A list of links to resources that support the relationship between the IP address and the service, or provide additional context.
- Name
as
- Type
- object
- Description
Autonomous System (AS) object. Is omitted if data is unavailable.
- Name
as.asn
- Type
- integer
- Description
Autonomous System's number.
- Name
as.name
- Type
- string
- Description
Autonomous System's name.
- Name
as.domain
- Type
- string
- Description
Autonomous System's website URL.
- Name
netblock
- Type
- object
- Description
WHOIS information for the IP Netblock associated with the IP address.
- Name
netblock.threatScore
- Type
- integer
- Description
A numerical score representing the threat level of the Netblock, ranging from
0
to100
. A score of0
indicates no threat, while a score of100
indicates high confidence that all IPs within the Netblock are classified as threats.
- Name
netblock.source
- Type
- string
- Description
Organization responsible for the management and allocation of the IP address range.
- Name
netblock.netname
- Type
- string
- Description
Name of the IP range.
- Name
netblock.modified
- Type
- string
- Description
Date and time of the last modification to the range, as provided by the registry. Format: '2012-02-24T09:44:34-05:00'.
- Name
netblock.inetnum
- Type
- string
- Description
The range of IP addresses within the netblock. Example: '192.168.1.0 - 192.168.1.255'.
- Name
netblock.organization
- Type
- object
- Description
Organization that registered the range. Is omitted if data is unavailable.
- Name
netblock.organization.id
- Type
- string
- Description
ID of the organization.
- Name
netblock.organization.name
- Type
- string
- Description
Name of the organization.
- Name
netblock.organization.email
- Type
- string
- Description
Contact email of the organization.
- Name
netblock.organization.phone
- Type
- string
- Description
Contact phone of the organization.
- Name
netblock.organization.address
- Type
- string[]
- Description
Address of the organization.
- Name
netblock.adminContact
- Type
- object
- Description
Administrative contact information. Is omitted if data is unavailable.
- Name
netblock.adminContact.id
- Type
- string
- Description
ID of the contact.
- Name
netblock.adminContact.role
- Type
- string
- Description
Role of the contact.
- Name
netblock.adminContact.email
- Type
- string
- Description
Email of the contact.
- Name
netblock.adminContact.phone
- Type
- string
- Description
Phone number of the contact.
- Name
netblock.adminContact.address
- Type
- string[]
- Description
Address of the contact.
- Name
netblock.techContact
- Type
- object
- Description
Technical contact information. This field follows the same structure as the
adminContact
object. Is omitted if data is unavailable.
- Name
netblock.abuseContact
- Type
- object
- Description
Abuse contact information. This field follows the same structure as the
adminContact
object. Is omitted if data is unavailable.
The API response JSON object
{
"firstSeen": 1678320000,
"lastSeen": 1722902400,
"verdict": "Threat",
"threatScore": 75,
"threatTypes": [
"Malware",
"Attack"
],
"location": {
"country": "United States of America",
"region": "California",
"city": "Pleasanton"
},
"publicVPN": {
"detected": true,
"name": "NordVPN"
},
"torExitNode": false,
"ptr": {
"value": "scan-51a.shadserver.org.",
"reverseMatch": true
},
"knownIP": {
"name": "Detectify",
"description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
"references": [
"https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
]
},
"benignInfrastructure": [
{
"name": "Reserved IP Address",
"description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
]
}
],
"as": {
"asn": 6939,
"name": "Hurricane Electric",
"domain": "http://he.net"
},
"netblock": {
"threatScore": 31,
"source": "arin",
"netname": "HURRICANE-4",
"modified": "2012-02-24T09:44:34-05:00",
"inetnum": "64.62.128.0 - 64.62.255.255",
"organization": {
"id": "HURC",
"name": "Hurricane Electric LLC",
"email": "",
"phone": "",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"adminContact": {
"id": "ZH17-ARIN",
"role": "Hurricane Electric",
"email": "hostmaster@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"techContact": {
"id": "ZH17-ARIN",
"role": "Hurricane Electric",
"email": "hostmaster@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"abuseContact": {
"id": "ABUSE1036-ARIN",
"role": "Abuse Department",
"email": "abuse@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
}
}
}
Authentication
To authenticate with the API, include your personal API key in the request using the required apiKey
query parameter. Once your subscription payment is confirmed, you will receive an email containing your API key.
"Core" API
Input parameters
- Name
apiKey
- Type
- string
- Required
- Required
- Description
Your personal API key.
- Name
ip
- Type
- string
- Required
- Required
- Description
IPv4 or IPv6 address to look up.
Request limits
The request rate limits vary by subscription plan. The "Core" API allows for a maximum of 1
requests per minute and 100
requests per day. If you exceed these limits, the API will return a 429
HTTP error code.
Output fields
The output fields vary between subscription plans. The "Core" API allows the following output fields:
firstSeen
lastSeen
verdict
threatScore
threatTypes
For field descriptions, please refer to the API response object section of the documentation.
Request
curl --location 'https://api.falconsentinel.com/v2/core?apiKey=...&ip=101.132.168.206'
Sample response
{
"firstSeen": 1678320000,
"lastSeen": 1722902400,
"verdict": "Threat",
"threatScore": 75,
"threatTypes": [
"Malware",
"Attack"
]
}
"Professional" API
Input parameters
- Name
apiKey
- Type
- string
- Required
- Required
- Description
Your personal API key.
- Name
ip
- Type
- string
- Required
- Required
- Description
IPv4 or IPv6 address to look up.
- Name
realTimeData
- Type
- integer
- Description
Retrieve real-time data instead of potentially cached data. These requests take longer to process.
Accepted values:
0
or1
Default value:
0
Request limits
The request rate limits vary by subscription plan. The "Professional" API allows for a maximum of 5
requests per minute and 500
requests per day. If you exceed these limits, the API will return a 429
HTTP error code.
Output fields
The output fields vary between subscription plans. The "Professional" API allows the following output fields:
firstSeen
lastSeen
verdict
threatScore
threatTypes
location
publicVPN
torExitNode
ptr
knownIP
benignInfrastructure
For field descriptions, please refer to the API response object section of the documentation.
Request
curl --location 'https://api.falconsentinel.com/v2/pro?apiKey=...&ip=101.132.168.206'
Sample response
{
"firstSeen": 1678320000,
"lastSeen": 1722902400,
"verdict": "Threat",
"threatScore": 75,
"threatTypes": [
"Malware",
"Attack"
],
"location": {
"country": "United States of America",
"region": "California",
"city": "Pleasanton"
},
"publicVPN": {
"detected": true,
"name": "NordVPN"
},
"torExitNode": false,
"ptr": {
"value": "scan-51a.shadserver.org.",
"reverseMatch": true
},
"knownIP": {
"name": "Detectify",
"description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
"references": [
"https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
]
},
"benignInfrastructure": [
{
"name": "Reserved IP Address",
"description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
]
}
],
}
"Ultimate" API
Input parameters
- Name
apiKey
- Type
- string
- Required
- Required
- Description
Your personal API key.
- Name
ip
- Type
- string
- Required
- Required
- Description
IPv4 or IPv6 address to look up.
- Name
realTimeData
- Type
- integer
- Description
Retrieve real-time data instead of potentially cached data. These requests take longer to process.
Accepted values:
0
or1
Default value:
0
Request limits
The request rate limits vary by subscription plan. The "Ultimate" API allows for a maximum of 60
requests per minute and 2,500
requests per day. If you exceed these limits, the API will return a 429
HTTP error code.
Output fields
The output fields vary between subscription plans. The "Ultimate" API allows the following output fields:
firstSeen
lastSeen
verdict
threatScore
threatTypes
location
publicVPN
torExitNode
ptr
knownIP
benignInfrastructure
as
netblock
For field descriptions, please refer to the API response object section of the documentation.
Request
curl --location 'https://api.falconsentinel.com/v2/ultimate?apiKey=...&ip=101.132.168.206'
Sample response
{
"firstSeen": 1678320000,
"lastSeen": 1722902400,
"verdict": "Threat",
"threatScore": 75,
"threatTypes": [
"Malware",
"Attack"
],
"location": {
"country": "United States of America",
"region": "California",
"city": "Pleasanton"
},
"publicVPN": {
"detected": true,
"name": "NordVPN"
},
"torExitNode": false,
"ptr": {
"value": "scan-51a.shadserver.org.",
"reverseMatch": true
},
"knownIP": {
"name": "Detectify",
"description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
"references": [
"https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
]
},
"benignInfrastructure": [
{
"name": "Reserved IP Address",
"description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
]
}
],
"as": {
"asn": 6939,
"name": "Hurricane Electric",
"domain": "http://he.net"
},
"netblock": {
"threatScore": 31,
"source": "arin",
"netname": "HURRICANE-4",
"modified": "2012-02-24T09:44:34-05:00",
"inetnum": "64.62.128.0 - 64.62.255.255",
"organization": {
"id": "HURC",
"name": "Hurricane Electric LLC",
"email": "",
"phone": "",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"adminContact": {
"id": "ZH17-ARIN",
"role": "Hurricane Electric",
"email": "hostmaster@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"abuseContact": {
"id": "ABUSE1036-ARIN",
"role": "Abuse Department",
"email": "abuse@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
}
}
}
"Enterprise" API
Input parameters
- Name
apiKey
- Type
- string
- Required
- Required
- Description
Your personal API key.
- Name
ip
- Type
- string
- Required
- Required
- Description
IPv4 or IPv6 address to look up.
- Name
realTimeData
- Type
- integer
- Description
Retrieve real-time data instead of potentially cached data. These requests take longer to process.
Accepted values:
0
or1
Default value:
0
Request limits
Custom request limits are available for the Enterprise API
. Please refer to the pricing page for more information.
Request
curl --location 'https://api.falconsentinel.com/v2/enterprise?apiKey=...&ip=101.132.168.206'
Sample response
{
"firstSeen": 1678320000,
"lastSeen": 1722902400,
"verdict": "Threat",
"threatScore": 75,
"threatTypes": [
"Malware",
"Attack"
],
"location": {
"country": "United States of America",
"region": "California",
"city": "Pleasanton"
},
"publicVPN": {
"detected": true,
"name": "NordVPN"
},
"torExitNode": false,
"ptr": {
"value": "scan-51a.shadserver.org.",
"reverseMatch": true
},
"knownIP": {
"name": "Detectify",
"description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
"references": [
"https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
]
},
"benignInfrastructure": [
{
"name": "Reserved IP Address",
"description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
]
}
],
"as": {
"asn": 6939,
"name": "Hurricane Electric",
"domain": "http://he.net"
},
"netblock": {
"threatScore": 31,
"source": "arin",
"netname": "HURRICANE-4",
"modified": "2012-02-24T09:44:34-05:00",
"inetnum": "64.62.128.0 - 64.62.255.255",
"organization": {
"id": "HURC",
"name": "Hurricane Electric LLC",
"email": "",
"phone": "",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"adminContact": {
"id": "ZH17-ARIN",
"role": "Hurricane Electric",
"email": "hostmaster@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
},
"abuseContact": {
"id": "ABUSE1036-ARIN",
"role": "Abuse Department",
"email": "abuse@he.net",
"phone": "+1-510-580-4100",
"address": [
"760 Mission Court",
"Fremont",
"CA",
"94539",
"United States"
]
}
}
}
Errors
You can determine if your request was successful by checking the status code in the API response. Since 99% of reported errors are user errors, please review your code thoroughly before reaching out to support. Now, let's explore the status codes and error types you might encounter.
Status codes
- Name
2xx
- Description
Successful response.
- Name
400
- Description
Invalid input parameters.
- Name
401
- Description
Unauthorized. Verify your API key or check your subscription limits.
- Name
429
- Description
Too many requests. Try your call again later.
- Name
5xx
- Description
Server error. Please try your call again later or contact support."