Threat Intelligence API

The API offers a detailed security evaluation, highlighting potential risks and delivering threat intelligence. It's an essential tool for augmenting your current security setup with our expert insights. With functionality mirroring our Lookup service, it seamlessly integrates into your security platform.


Subscription plans

The API offers four subscription plans: Core, Professional, Ultimate, and Enterprise. The output fields vary between these plans, with more fields being added from Core to Ultimate.

Additionally, the subscription plans differ in the number of requests allowed per day and minute. For a complete feature comparison of the plans, please refer to the pricing page.


The API response object

The following API response model describes all output fields across all subscription plans. To find out which fields are available in specific subscription plans, please refer to the sections below relevant to each subscription.

Attributes

  • Name
    firstSeen
    Type
    nullable
    timestamp
    Description

    UNIX timestamp of the first detected threat activity from the IP address. This field has value only when the verdict field's value is Threat; otherwise, it is null.

  • Name
    lastSeen
    Type
    nullable
    timestamp
    Description

    UNIX timestamp of the last detected threat activity from the IP address. This field has value only when the verdict field's value is Threat; otherwise, it is null.

  • Name
    verdict
    Type
    string
    Description

    Classification of the IoC's associated threat type.

    Possible values:

    • Threat – Substantial evidence indicates that this IP should be regarded as a threat. Advised Action: Conduct a thorough investigation of the activities linked to this IP and consider implementing restrictions on its traffic.
    • Benign – This IP address poses no threat and is linked to a known service performing legitimate scans/crawls. Advised action: None needed. The benignInfrastructure object contains the name, description, and references to the relevant benign service.
    • Suspicious – Multiple signals have been detected that suggest this IP is suspicious, yet there is no definitive proof to categorize it as a threat. Advised Action: Manually inspect the activities associated with this IP to assess potential risks.
    • Unknown – We haven't received any signals indicating that this IP poses a threat. Advised Action: Manually analyze the existing intelligence to determine its classification.
  • Name
    threatScore
    Type
    integer
    Description

    Numerical score indicating the threat level of the IoC, ranging from 0 to 100. A score of 0 means the IP address poses no threat, while a score of 100 indicates high confidence in classifying it as a threat. This field has a positive value only when the verdict field's value is Threat or Suspicious; otherwise, it is 0.

  • Name
    threatTypes
    Type
    nullable
    string[]
    Description

    A list of threat types associated with the IoC. This field contains items only when the verdict field's value is Threat; otherwise, it is null.

    Possible values:

    • null – There are no threat types associated with this host.
    • Attack – Malicious activity detected from the host.
    • C2 – The host is a known botnet's "Command and Control" server.
    • Malware – The host is related to malicious software distribution.
    • Phishing – The host is involved in phishing activity.
    • Spam – The host is engaged in sending spam.
    • Suspicious – Host activity hasn't been confirmed as malicious, but it remains suspicious. For example, it could involve a host scraping websites or sending a large number of ICMP queries.
  • Name
    location
    Type
    object
    Description

    Geolocation of the IP address. Is omitted if data is unavailable.

    • Name
      location.country
      Type
      string
      Description

      Country name.

    • Name
      location.region
      Type
      string
      Description

      Region name.

    • Name
      location.city
      Type
      string
      Description

      City name.

  • Name
    publicVPN
    Type
    object
    Description

    Determines whether the IP address belongs to a public VPN and retrieves its name if applicable.

    • Name
      publicVPN.detected
      Type
      boolean
      Description

      Indicates whether the IP address belongs to a public VPN.

    • Name
      publicVPN.name
      Type
      string
      Description

      Name of the public VPN. Is omitted if data is unavailable.

  • Name
    torExitNode
    Type
    boolean
    Description

    Indicates whether the IP address is a TOR exit node.

  • Name
    ptr
    Type
    object
    Description

    Retrieves the PTR record for the IP address and the result of the reverse match check. Is omitted if data is unavailable.

    • Name
      ptr.value
      Type
      nullable
      string
      Description

      PTR record value. If the IP address does not have a PTR record, null.

    • Name
      ptr.reverseMatch
      Type
      boolean
      Description

      Indicates whether the A/AAAA record of the domain in the PTR record matches the original IP address.

  • Name
    knownIP
    Type
    object
    Description

    Information on IP addresses linked to known internet services that are not anticipated to perform infrastructure scans or crawls. Is omitted if data is unavailable.

    Examples: GitHub, GitLab, AWS CloudFront.

    • Name
      knownIP.name
      Type
      string
      Description

      The name of the service associated with the IP address.

    • Name
      knownIP.description
      Type
      string
      Description

      Description of the service, if applicable.

    • Name
      knownIP.references
      Type
      string[]
      Description

      A list of links to resources that support the relationship between the IP address and the service, or provide additional context.

  • Name
    benignInfrastructure
    Type
    object[]
    Description

    Details about IP addresses associated with known internet services expected to conduct legitimate infrastructure scans or crawls. This field is available only when the verdict field's value is Benign. Is omitted if data is unavailable.

    Examples: Apple Bot, Facebook Bot, Google Bot.

    • Name
      benignInfrastructure.name
      Type
      string
      Description

      The name of the service associated with the IP address.

    • Name
      benignInfrastructure.description
      Type
      string
      Description

      Description of the service, if applicable.

    • Name
      benignInfrastructure.references
      Type
      string[]
      Description

      A list of links to resources that support the relationship between the IP address and the service, or provide additional context.

  • Name
    as
    Type
    object
    Description

    Autonomous System (AS) object. Is omitted if data is unavailable.

    • Name
      as.asn
      Type
      integer
      Description

      Autonomous System's number.

    • Name
      as.name
      Type
      string
      Description

      Autonomous System's name.

    • Name
      as.domain
      Type
      string
      Description

      Autonomous System's website URL.

  • Name
    netblock
    Type
    object
    Description

    WHOIS information for the IP Netblock associated with the IP address.

    • Name
      netblock.threatScore
      Type
      integer
      Description

      A numerical score representing the threat level of the Netblock, ranging from 0 to 100. A score of 0 indicates no threat, while a score of 100 indicates high confidence that all IPs within the Netblock are classified as threats.

    • Name
      netblock.source
      Type
      string
      Description

      Organization responsible for the management and allocation of the IP address range.

    • Name
      netblock.netname
      Type
      string
      Description

      Name of the IP range.

    • Name
      netblock.modified
      Type
      string
      Description

      Date and time of the last modification to the range, as provided by the registry. Format: '2012-02-24T09:44:34-05:00'.

    • Name
      netblock.inetnum
      Type
      string
      Description

      The range of IP addresses within the netblock. Example: '192.168.1.0 - 192.168.1.255'.

    • Name
      netblock.organization
      Type
      object
      Description

      Organization that registered the range. Is omitted if data is unavailable.

      • Name
        netblock.organization.id
        Type
        string
        Description

        ID of the organization.

      • Name
        netblock.organization.name
        Type
        string
        Description

        Name of the organization.

      • Name
        netblock.organization.email
        Type
        string
        Description

        Contact email of the organization.

      • Name
        netblock.organization.phone
        Type
        string
        Description

        Contact phone of the organization.

      • Name
        netblock.organization.address
        Type
        string[]
        Description

        Address of the organization.

    • Name
      netblock.adminContact
      Type
      object
      Description

      Administrative contact information. Is omitted if data is unavailable.

      • Name
        netblock.adminContact.id
        Type
        string
        Description

        ID of the contact.

      • Name
        netblock.adminContact.role
        Type
        string
        Description

        Role of the contact.

      • Name
        netblock.adminContact.email
        Type
        string
        Description

        Email of the contact.

      • Name
        netblock.adminContact.phone
        Type
        string
        Description

        Phone number of the contact.

      • Name
        netblock.adminContact.address
        Type
        string[]
        Description

        Address of the contact.

    • Name
      netblock.techContact
      Type
      object
      Description

      Technical contact information. This field follows the same structure as the adminContact object. Is omitted if data is unavailable.

    • Name
      netblock.abuseContact
      Type
      object
      Description

      Abuse contact information. This field follows the same structure as the adminContact object. Is omitted if data is unavailable.

The API response JSON object

{
    "firstSeen": 1678320000,
    "lastSeen": 1722902400,
    "verdict": "Threat",
    "threatScore": 75,
    "threatTypes": [
        "Malware",
        "Attack"
    ],
    "location": {
        "country": "United States of America",
        "region": "California",
        "city": "Pleasanton"
    },
    "publicVPN": {
        "detected": true,
        "name": "NordVPN"
    },
    "torExitNode": false,
    "ptr": {
        "value": "scan-51a.shadserver.org.",
        "reverseMatch": true
    },
    "knownIP": {
        "name": "Detectify",
        "description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
        "references": [
            "https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
        ]
    },
    "benignInfrastructure": [
        {
            "name": "Reserved IP Address",
            "description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
            "references": [
                "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
            ]
        }
    ],
    "as": {
        "asn": 6939,
        "name": "Hurricane Electric",
        "domain": "http://he.net"
    },
    "netblock": {
        "threatScore": 31,
        "source": "arin",
        "netname": "HURRICANE-4",
        "modified": "2012-02-24T09:44:34-05:00",
        "inetnum": "64.62.128.0 - 64.62.255.255",
        "organization": {
            "id": "HURC",
            "name": "Hurricane Electric LLC",
            "email": "",
            "phone": "",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "adminContact": {
            "id": "ZH17-ARIN",
            "role": "Hurricane Electric",
            "email": "hostmaster@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "techContact": {
            "id": "ZH17-ARIN",
            "role": "Hurricane Electric",
            "email": "hostmaster@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "abuseContact": {
            "id": "ABUSE1036-ARIN",
            "role": "Abuse Department",
            "email": "abuse@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        }
    }
}

Authentication

To authenticate with the API, include your personal API key in the request using the required apiKey query parameter. Once your subscription payment is confirmed, you will receive an email containing your API key.


"Core" API

Input parameters

  • Name
    apiKey
    Type
    string
    Required
    Required
    Description

    Your personal API key.

  • Name
    ip
    Type
    string
    Required
    Required
    Description

    IPv4 or IPv6 address to look up.

Request limits

The request rate limits vary by subscription plan. The "Core" API allows for a maximum of 1 requests per minute and 100 requests per day. If you exceed these limits, the API will return a 429 HTTP error code.

Output fields

The output fields vary between subscription plans. The "Core" API allows the following output fields:

  • firstSeen
  • lastSeen
  • verdict
  • threatScore
  • threatTypes

For field descriptions, please refer to the API response object section of the documentation.

Request

GET
https://api.falconsentinel.com/v2/core
curl --location 'https://api.falconsentinel.com/v2/core?apiKey=...&ip=101.132.168.206'

Sample response

{
    "firstSeen": 1678320000,
    "lastSeen": 1722902400,
    "verdict": "Threat",
    "threatScore": 75,
    "threatTypes": [
        "Malware",
        "Attack"
    ]
}

"Professional" API

Input parameters

  • Name
    apiKey
    Type
    string
    Required
    Required
    Description

    Your personal API key.

  • Name
    ip
    Type
    string
    Required
    Required
    Description

    IPv4 or IPv6 address to look up.

  • Name
    realTimeData
    Type
    integer
    Description

    Retrieve real-time data instead of potentially cached data. These requests take longer to process.

    Accepted values: 0 or 1

    Default value: 0

Request limits

The request rate limits vary by subscription plan. The "Professional" API allows for a maximum of 5 requests per minute and 500 requests per day. If you exceed these limits, the API will return a 429 HTTP error code.

Output fields

The output fields vary between subscription plans. The "Professional" API allows the following output fields:

  • firstSeen
  • lastSeen
  • verdict
  • threatScore
  • threatTypes
  • location
  • publicVPN
  • torExitNode
  • ptr
  • knownIP
  • benignInfrastructure

For field descriptions, please refer to the API response object section of the documentation.

Request

GET
https://api.falconsentinel.com/v2/pro
curl --location 'https://api.falconsentinel.com/v2/pro?apiKey=...&ip=101.132.168.206'

Sample response

{
    "firstSeen": 1678320000,
    "lastSeen": 1722902400,
    "verdict": "Threat",
    "threatScore": 75,
    "threatTypes": [
        "Malware",
        "Attack"
    ],
    "location": {
        "country": "United States of America",
        "region": "California",
        "city": "Pleasanton"
    },
    "publicVPN": {
        "detected": true,
        "name": "NordVPN"
    },
    "torExitNode": false,
    "ptr": {
        "value": "scan-51a.shadserver.org.",
        "reverseMatch": true
    },
    "knownIP": {
        "name": "Detectify",
        "description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
        "references": [
            "https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
        ]
    },
    "benignInfrastructure": [
        {
            "name": "Reserved IP Address",
            "description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
            "references": [
            "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
            ]
        }
    ],
}

"Ultimate" API

Input parameters

  • Name
    apiKey
    Type
    string
    Required
    Required
    Description

    Your personal API key.

  • Name
    ip
    Type
    string
    Required
    Required
    Description

    IPv4 or IPv6 address to look up.

  • Name
    realTimeData
    Type
    integer
    Description

    Retrieve real-time data instead of potentially cached data. These requests take longer to process.

    Accepted values: 0 or 1

    Default value: 0

Request limits

The request rate limits vary by subscription plan. The "Ultimate" API allows for a maximum of 60 requests per minute and 2,500 requests per day. If you exceed these limits, the API will return a 429 HTTP error code.

Output fields

The output fields vary between subscription plans. The "Ultimate" API allows the following output fields:

  • firstSeen
  • lastSeen
  • verdict
  • threatScore
  • threatTypes
  • location
  • publicVPN
  • torExitNode
  • ptr
  • knownIP
  • benignInfrastructure
  • as
  • netblock

For field descriptions, please refer to the API response object section of the documentation.

Request

GET
https://api.falconsentinel.com/v2/ultimate
curl --location 'https://api.falconsentinel.com/v2/ultimate?apiKey=...&ip=101.132.168.206'

Sample response

{
    "firstSeen": 1678320000,
    "lastSeen": 1722902400,
    "verdict": "Threat",
    "threatScore": 75,
    "threatTypes": [
        "Malware",
        "Attack"
    ],
    "location": {
        "country": "United States of America",
        "region": "California",
        "city": "Pleasanton"
    },
    "publicVPN": {
        "detected": true,
        "name": "NordVPN"
    },
    "torExitNode": false,
    "ptr": {
        "value": "scan-51a.shadserver.org.",
        "reverseMatch": true
    },
    "knownIP": {
        "name": "Detectify",
        "description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
        "references": [
            "https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
        ]
    },
    "benignInfrastructure": [
        {
            "name": "Reserved IP Address",
            "description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
            "references": [
                "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
            ]
        }
    ],
    "as": {
        "asn": 6939,
        "name": "Hurricane Electric",
        "domain": "http://he.net"
    },
    "netblock": {
        "threatScore": 31,
        "source": "arin",
        "netname": "HURRICANE-4",
        "modified": "2012-02-24T09:44:34-05:00",
        "inetnum": "64.62.128.0 - 64.62.255.255",
        "organization": {
            "id": "HURC",
            "name": "Hurricane Electric LLC",
            "email": "",
            "phone": "",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "adminContact": {
            "id": "ZH17-ARIN",
            "role": "Hurricane Electric",
            "email": "hostmaster@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "abuseContact": {
            "id": "ABUSE1036-ARIN",
            "role": "Abuse Department",
            "email": "abuse@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        }
    }
}

"Enterprise" API

Input parameters

  • Name
    apiKey
    Type
    string
    Required
    Required
    Description

    Your personal API key.

  • Name
    ip
    Type
    string
    Required
    Required
    Description

    IPv4 or IPv6 address to look up.

  • Name
    realTimeData
    Type
    integer
    Description

    Retrieve real-time data instead of potentially cached data. These requests take longer to process.

    Accepted values: 0 or 1

    Default value: 0

Request limits

Custom request limits are available for the Enterprise API. Please refer to the pricing page for more information.

Request

GET
https://api.falconsentinel.com/v2/enterprise
curl --location 'https://api.falconsentinel.com/v2/enterprise?apiKey=...&ip=101.132.168.206'

Sample response

{
    "firstSeen": 1678320000,
    "lastSeen": 1722902400,
    "verdict": "Threat",
    "threatScore": 75,
    "threatTypes": [
        "Malware",
        "Attack"
    ],
    "location": {
        "country": "United States of America",
        "region": "California",
        "city": "Pleasanton"
    },
    "publicVPN": {
        "detected": true,
        "name": "NordVPN"
    },
    "torExitNode": false,
    "ptr": {
        "value": "scan-51a.shadserver.org.",
        "reverseMatch": true
    },
    "knownIP": {
        "name": "Detectify",
        "description": "Detectify is a web security service that scans websites for vulnerabilities and security issues. It helps website owners identify and fix security weaknesses to protect their websites from cyber threats and attacks.",
        "references": [
            "https://support.detectify.com/support/solutions/articles/48001049001-how-do-i-allow-detectify-to-scan-my-assets-"
        ]
    },
    "benignInfrastructure": [
        {
            "name": "Reserved IP Address",
            "description": "Reserved IP addresses are set aside for special purposes and should not be used on the public internet. These addresses are not routable and are intended for use in private networks, documentation, and other specific scenarios",
            "references": [
                "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
            ]
        }
    ],
    "as": {
        "asn": 6939,
        "name": "Hurricane Electric",
        "domain": "http://he.net"
    },
    "netblock": {
        "threatScore": 31,
        "source": "arin",
        "netname": "HURRICANE-4",
        "modified": "2012-02-24T09:44:34-05:00",
        "inetnum": "64.62.128.0 - 64.62.255.255",
        "organization": {
            "id": "HURC",
            "name": "Hurricane Electric LLC",
            "email": "",
            "phone": "",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "adminContact": {
            "id": "ZH17-ARIN",
            "role": "Hurricane Electric",
            "email": "hostmaster@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        },
        "abuseContact": {
            "id": "ABUSE1036-ARIN",
            "role": "Abuse Department",
            "email": "abuse@he.net",
            "phone": "+1-510-580-4100",
            "address": [
                "760 Mission Court",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ]
        }
    }
}

Errors

You can determine if your request was successful by checking the status code in the API response. Since 99% of reported errors are user errors, please review your code thoroughly before reaching out to support. Now, let's explore the status codes and error types you might encounter.

Status codes

  • Name
    2xx
    Description

    Successful response.

  • Name
    400
    Description

    Invalid input parameters.

  • Name
    401
    Description

    Unauthorized. Verify your API key or check your subscription limits.

  • Name
    429
    Description

    Too many requests. Try your call again later.

  • Name
    5xx
    Description

    Server error. Please try your call again later or contact support."