NAV
shell Python (3.x)

Introduction

Summary of Resource URL Patterns

/v1/repcategories

/v1/cve/{cve}
/v1/cve/top-trending

/v1/domains/{domain}/events
/v1/domains/{domain}/geoloc
/v1/domains/{domain}/ips
/v1/domains/{domain}/nameservers
/v1/domains/{domain}/reputation
/v1/domains/{domain}/samples
/v1/domains/{domain}/urls
/v1/domains/{domain}/whois

/v1/ips/{ip}/domains
/v1/ips/{ip}/events
/v1/ips/{ip}/geoloc
/v1/ips/{ip}/reputation
/v1/ips/{ip}/samples
/v1/ips/{ip}/urls

/v1/malare/{malware_family}
/v1/samples/{md5}
/v1/samples/{md5}/connections
/v1/samples/{md5}/dns
/v1/samples/{md5}/events
/v1/samples/{md5}/http

/v1/sids/{sid}
/v1/sids/{sid}/ips
/v1/sids/{sid}/domains
/v1/sids/{sid}/samples

/v1/actors/{threatactor}

The ET Intelligence API is organized around REST with JSON responses. Our API is designed to use HTTP response codes to indicate API success/errors. We support cross-origin resource sharing (CORS) to allow you to interact with our API from a client-side web application. JSON will be returned in all responses from the API.

The ET Intelligence API can be used to get information such as up-to-date reputation of domains and IPs, as well as related information on our entire database of over 300 million malware samples.

We currently have code examples using curl and Python. If you have a particular language you'd like to see API examples for, please let us know. You can view code examples in the dark area to the right, and you can switch the programming language of the examples with the tabs in the top right.

Authentication

To authenticate, use this code:

# With curl, you can just pass the correct header with each request
curl https://api.emergingthreats.net/v1/repcategories -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "api_endpoint_here"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)

Make sure to replace SECRETKEY with your API key.

Emerging Threats uses API keys to allow access to our API. If your company has paid for API access, you can find your API key by visiting https://etadmin.proofpoint.com/api-access.

The Query API expects for the API key to be included in all API requests to the server in a header that looks like the following:

Authorization: SECRETKEY

Rate-limiting

The ET Intelligence API will rate limit requests on a per-API key basis. If you exceed your rate limit you will receive an API response with a 429 HTTP status code and a brief message indicating you have exceeded your rate limit. To increase your rate limit, contact sales.

The JSON response associated with an exceeded rate limit should look something like:

{
  "success": false,
  "message": "Rate limit exceeded",
  "response": {}
}

Reputation Metadata

List reputation categories

curl https://api.emergingthreats.net/v1/repcategories -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/repcategories"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "name": "Bot",
      "description": "Known Infected Bot"
    },
    {
      "name": "CnC",
      "description": "Malware Command and Control Server"
    },
    {
      "name": "Spam",
      "description": "Known Spam Source"
    }
  ]
}

This endpoint lists all of the possible categories for reputation categorization and a brief description of each item.

HTTP Request

GET https://api.emergingthreats.net/v1/repcategories

Response Parameters

Parameter Optional? Description
name No The name of the reputation category.
description No A brief description of the category.

CVE Information BETA

Get CVE Details

curl "https://api.emergingthreats.net/v1/cve/{CVE}"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/cve/{CVE}"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
    "success": true,
    "timestamp": "2023-08-28-15:32:16",
    "message_id": "req877619770",
    "response": {
        "cve": "CVE-2022-30525",
        "description": "A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.",
        "config_operator": "OR",
        "source_identifier": "security@zyxel.com.tw",
        "vuln_status": "Analyzed",
        "cisa_exploit_add": "2022-05-16",
        "cisa_vulnerability_name": "Zyxel Multiple Firewalls OS Command Injection Vulnerability",
        "known_exploited_vulnerabilities": true,
        "pfpt_recent_observed": true,
        "pfpt_ever_observed": true,
        "pfpt_first_observed": "2023-03-01",
        "pfpt_last_observed": "2023-08-28",
        "seven_day_trend": "increasing",
        "basemetricv3": {
            "type": "Primary",
            "source": "nvd@nist.gov",
            "cvssData": {
                "scope": "UNCHANGED",
                "version": "3.1",
                "baseScore": 9.8,
                "attackVector": "NETWORK",
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "integrityImpact": "HIGH",
                "userInteraction": "NONE",
                "attackComplexity": "LOW",
                "availabilityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "confidentialityImpact": "HIGH"
            },
            "impactScore": 5.9,
            "exploitabilityScore": 3.9
        },
        "basemetricv2": {
            "type": "Primary",
            "source": "nvd@nist.gov",
            "cvssData": {
                "version": "2.0",
                "baseScore": 10.0,
                "accessVector": "NETWORK",
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "authentication": "NONE",
                "integrityImpact": "COMPLETE",
                "accessComplexity": "LOW",
                "availabilityImpact": "COMPLETE",
                "confidentialityImpact": "COMPLETE"
            },
            "acInsufInfo": false,
            "impactScore": 10.0,
            "baseSeverity": "HIGH",
            "obtainAllPrivilege": false,
            "exploitabilityScore": 10.0,
            "obtainUserPrivilege": false,
            "obtainOtherPrivilege": false,
            "userInteractionRequired": false
        },
        "weaknesses": [
            {
                "type": "Primary",
                "source": "nvd@nist.gov",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-78"
                    }
                ]
            },
            {
                "type": "Secondary",
                "source": "security@zyxel.com.tw",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-78"
                    }
                ]
            }
        ],
        "publisheddate": "2022-05-12",
        "lastmodifieddate": "2022-10-19"
    }
}

This endpoint retrieves CVE information from NVD and Emerging Threats data. The endpoint relays whether there are known exploits, whether PFPT has observed exploit attempts, the first and last date of the observed exploit attempts and whether the exploit volume is increasing over the last week. CVEs where we see active exploits should be considered high priority for patching if they are in your environment.

HTTP Request

GET https://api.emergingthreats.net/v1/cve/{cve}/

Response Parameters

Parameter Optional? Description
cve No description
description No The description of CVE.
config_operator No It coveys the logical relationship of the CPE or child objects. It is part of configurations object containing the CVE applicability statements that convey which product, or products, are associated with the vulnerability according to the NVD analysis
source_identifier No It is an identifier for the source of the CVE.
vuln_status No The CVE status in the NVD portal.
cisa_exploit_add No The date when CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog.
cisa_vulnerability_name No The name of the CVE vulnerability provided by CISA.
known_exploited_vulnerabilities No Boolean value determining if the CVE has known exploitable vulnerability.
pfpt_recent_observed No Boolean value determining if CVE activity is captured by Proofpoint Systems recently.
pfpt_ever_observed No Boolean value determining if a CVE activity is captured by Proofpoint Systems.
pfpt_first_observed No Date when the CVE activity was first observed by Proofpoint Threat Intelligence Systems.
pfpt_last_observed No Date when the CVE activity was last observed by Proofpoint Threat Intelligence System.
seven_day_trend No Determines if the CVE activity trend is increasing,decreasing or nochange.
basemetricv3 Yes Base metrics for CVSS version 3.1.
type Yes Identifies whether the organization is a primary or secondary source.
source Yes Identifies the organization that provided the metrics information.
scope Yes It is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.
version Yes Numeric representation of the current CVSS version.
baseScore Yes It reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments.
attackVector Yes This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.
baseSeverity Yes It is the severity of a vulnerability.
vectorString Yes It is a text representation of a set of CVSS metrics.
integrityImpact Yes It measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.
userInteraction Yes It defines if the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability.
attackComplexity Yes It describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.
availabilityImpact Yes It measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
confidentialityImpact Yes It measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
impactScore Yes It is the score of effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack.
exploitabilityScore Yes It is the score which reflects the ease and technical means by which the vulnerability can be exploited
basemetricv2 No Base metrics for CVSS version 2.0
type Yes Identifies whether the organization is a primary or secondary source.
version Yes Numeric representation of the current CVSS version
baseScore Yes It reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments.
accessVector Yes This metric reflects how the vulnerability is exploited.
vectorString Yes It is a text representation of a set of CVSS metrics.
authentication Yes measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.
integrityImpact Yes It measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information.
accessComplexity Yes It measures whether or not extra conditions are required to exploit a vulnerability
availabilityImpact Yes It measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources.
confidentialityImpact Yes It measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
weaknesses No Information on specific weaknesses, considered the cause of the vulnerability.
publisheddate No The date and time that the CVE was published to the NVD.
lastmodifieddate No The date and time that the CVE was last modified,.
curl "https://api.emergingthreats.net/v1/cve/top-trending"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/cve/top-trending?limit=5"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
    "success": true,
    "timestamp": "2023-08-29-20:31:23",
    "message_id": "req-2013631568",
    "response": [
        {
            "cve": "CVE-2022-22965",
            "percent_change": 4891.857142857143,
            "cvss_v3_score": "9.8",
            "description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."
        },
        {
            "cve": "CVE-2021-44228",
            "percent_change": 4751.073250490516,
            "cvss_v3_score": "10.0",
            "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."
        },
        {
            "cve": "CVE-2023-21690",
            "percent_change": 2399.0,
            "cvss_v3_score": "9.8",
            "description": "Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability"
        },
        {
            "cve": "CVE-2020-25078",
            "percent_change": 2251.9411764705883,
            "cvss_v3_score": "7.5",
            "description": "An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure."
        },
        {
            "cve": "CVE-2017-17215",
            "percent_change": 1999.0,
            "cvss_v3_score": "8.8",
            "description": "Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code."
        }
    ]
}

This endpoint retrieves the top 5 CVEs with highest exploit velocity over the last week.

HTTP Request

GET https://api.emergingthreats.net/v1/cve/top-trending?limit=5

Response Parameters

Parameter Optional? Description
cve No The vulnerability identification number.
percent_change No The weekly percentage change by event volume.
cvss_v3_score No CVSS version 3.X base score for a vulnerability.
description No The description of vulnerability.

This endpoint the highest volume exploit growth week over week targeting CVEs. You can change the query from 5 to 10 if desired.

Domain Information

Get current domain reputation

curl "https://api.emergingthreats.net/v1/domains/{domain}/reputation"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/reputation"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "category": "DynDNS",
      "score": 120
    },
    {
      "category": "CnC",
      "score": 100
    },
    {
      "category": "SpywareCnC",
      "score": 95
    }
  ]
}

This endpoint retrieves the current reputation scores in categories that are currently associated with the specified domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/reputation

Response Parameters

Parameter Optional? Description
category No The category of reputation under which this score falls.
score No The numerical reputation score for this category. Scores are non-negative integers ranging from 0 to 127.

Get domain malware-requested URLs

curl "https://api.emergingthreats.net/v1/domains/{domain}/urls"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/urls"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    "/index.php?id=XXXXXXXXXXXXXXX&scn=X&inf=X&ver=XX&cnt=XXX",
    "/index.php?id=XXXXXXXXXXXXXX&scn=X&inf=X&ver=XX&cnt=XXX",
    "/index.php?id=XXXXXXXXXXXXXXXXXX&scn=X&inf=X&ver=XX&cnt=XXX"
  ]
}

This endpoint retrieves the most recent http requests made by malware to the specified domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/urls

Response Parameters

Parameter Optional? Description
url No The url string of the request with query parameter values masked.
curl "https://api.emergingthreats.net/v1/domains/{domain}/samples"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/samples"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "45999bfea907bf37acbab63d5d9ea683",
      "first_seen": "2014-02-13",
      "last_seen": "2014-02-13"
    },
    {
      "source": "f75da3cd3a38aadebdcf86eb53c6eb1c",
      "first_seen": "2014-02-13",
      "last_seen": "2014-02-13"
    }
  ]
}

This endpoint retrieves the most recent malware samples that communicated with the specified domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/samples

Response Parameters

Parameter Optional? Description
source No The md5sum of the malware sample.
first_seen No The date the malware sample was first seen associated to the domain.
last_seen No The date the malware sample was last seen associated to the domain.
curl "https://api.emergingthreats.net/v1/domains/{domain}/ips"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/ips"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "ip": "213.219.245.212",
      "first_seen": "2011-12-04",
      "last_seen": "2012-02-27"
    },
    {
      "ip": "78.109.30.160",
      "first_seen": "2014-02-22",
      "last_seen": "2014-04-09"
    }
  ]
}

This endpoint retrieves the most recent IPs that have been associated with the specified domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/ips

Response Parameters

Parameter Optional? Description
ip No
first_seen No The date the IP was first seen associated to the domain.
last_seen No The date the IP was last seen associated to the domain.
curl "https://api.emergingthreats.net/v1/domains/{domain}/events"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/events"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "domain": "citi-bank.ru",
      "date": "2014-03-31",
      "source": false,
      "sid": "2803583",
      "signature": "ETPRO TROJAN Win32.Sality.At Checkin",
      "count": 1
    },
    {
      "domain": "citi-bank.ru",
      "date": "2014-03-23",
      "source": false,
      "sid": "2803583",
      "signature": "ETPRO TROJAN Win32.Sality.At Checkin",
      "count": 2
    }
  ]
}

This endpoint retrieves the most recent IDS events that have been observed against the specified domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/events

Response Parameters

Parameter Optional? Description
domain No
date No The date the IDS event was observed.
source No Indicates whether the domain was the source of the IDS event.
sid No The SID that generated the IDS event.
signature No The signature name of the SID that generated the IDS event.
count No How many times this particular IDS event was observed in our sensor net for the given date.

Get domain nameserver info

curl "https://api.emergingthreats.net/v1/domains/{domain}/nameservers"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/nameservers"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "server": "ns1.yourhostingaccount.com.",
      "first_seen": "2013-02-15",
      "last_seen": "2013-11-17"
    },
    {
      "server": "ns1.mydomain.com",
      "first_seen": "2013-08-16",
      "last_seen": "2013-11-17"
    }
  ]
}

This endpoint retrieves the nameserver information related to the specified domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/nameservers

Response Parameters

Parameter Optional? Description
server No The address of a nameserver associated with the domain.
first_seen Yes The date the nameserver was first seen associated to the domain.
last_seen Yes The date the nameserver was last seen associated to the domain.

Get domain whois info

curl "https://api.emergingthreats.net/v1/domains/{domain}/whois"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/whois"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": {
    "domain": "bing.com",
    "registrant": {
      "name": "Microsoft Corporation",
      "email": "domains@microsoft.com",
      "created": "1996-01-29",
      "updated": "2012-11-29",
      "expires": "2019-01-30"
    },
    "registrar": {
      "name": "MarkMonitor Inc.",
      "country": "USA",
      "website": "http://www.markmonitor.com"
    }
  }
}

This endpoint retrieves whois info for a single domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/whois

Response Parameters

Parameter Optional? Description
domain No The domain associated with the whois record.
registrant.name Yes Name of the domain registrant.
registrant.email Yes Email address of the domain registrant.
registrant.created Yes Date the whois record was originally created.
registrant.updated Yes Date the whois record was last updated.
registrant.expires Yes Date the whois record will expire.
registrar.name Yes Name of the domain registrar.
registrar.country Yes Home country of the domain registrar.
registrar.website Yes Homepage for the domain registrar.

Get domain geolocation info

curl "https://api.emergingthreats.net/v1/domains/{domain}/geoloc"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/domains/{domain}/geoloc"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "ip": "107.20.206.69",
      "country_code": "US",
      "country": "United States",
      "region": "VA",
      "city": "Ashburn",
      "latitude": 39.043701171875,
      "longitude": -77.48750305175781
    },
    {
      "ip": "216.38.198.78",
      "country_code": "US",
      "country": "United States",
      "region": "CO",
      "city": "Henderson",
      "latitude": 39.88650131225586,
      "longitude": -104.88099670410156
    }
  ]
}

This endpoint retrieves geolocation info for a single domain.

HTTP Request

GET https://api.emergingthreats.net/v1/domains/{domain}/geoloc

Response Parameters

Parameter Optional? Description
ip No An IP associated with the specified domain.
country_code No The two character ISO 3166-1 alpha-2 country code in which the IP was last observed.
country Yes The country in which the IP was last observed.
region Yes A two character ISO-3166-2 or FIPS 10-4 code for the state or region associated with the IP.
city Yes The city or town name associated with the IP.
latitude Yes The latitude associated with the IP.
longitude Yes The longitude associated with the IP.

IP Information

Get current IP reputation

curl "https://api.emergingthreats.net/v1/ips/{ip}/reputation"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/reputation"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "category": "DynDNS",
      "score": 120
    },
    {
      "category": "CnC",
      "score": 100
    },
    {
      "category": "SpywareCnC",
      "score": 95
    }
  ]
}

This endpoint retrieves the current reputation scores in categories that are currently associated with the specified IP.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/reputation

Response Parameters

Parameter Optional? Description
category No The category of reputation under which this score falls.
score No The numerical reputation score for this category. Scores are non-negative integers ranging from 0 to 127.

Get IP malware-requested URLs

curl "https://api.emergingthreats.net/v1/ips/{ip}/urls"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/urls"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    "/index.php?id=XXXXXXXXXXXXXXX&scn=X&inf=X&ver=XX&cnt=XXX",
    "/index.php?id=XXXXXXXXXXXXXX&scn=X&inf=X&ver=XX&cnt=XXX",
    "/index.php?id=XXXXXXXXXXXXXXXXXX&scn=X&inf=X&ver=XX&cnt=XXX"
  ]
}

This endpoint retrieves the most recent http requests made by malware to the specified IP.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/urls

Response Parameters

Parameter Optional? Description
url No The url string of the request with query parameter values masked.
curl "https://api.emergingthreats.net/v1/ips/{ip}/samples"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/samples"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "6c885bee0b4ef2f539b26298b252212d",
      "first_seen": "2014-05-13",
      "last_seen": "2014-05-13"
    },
    {
      "source": "8449da068aec412fbec6fd48bc675396",
      "first_seen": "2014-05-03",
      "last_seen": "2014-05-03"
    }
  ]
}

This endpoint retrieves the most recent malware samples that communicated with the specified IP.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/samples

Response Parameters

Parameter Optional? Description
source No The md5sum of the malware sample.
first_seen No The date the malware sample was first seen associated to the IP.
last_seen No The date the malware sample was last seen associated to the IP.
curl "https://api.emergingthreats.net/v1/ips/{ip}/domains"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/domains"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "domain": "citi-bank.ru",
      "first_seen": "2014-02-22",
      "last_seen": "2014-04-09"
    },
    {
      "domain": "tat-neftbank.ru",
      "first_seen": "2014-04-04",
      "last_seen": "2014-04-04"
    }
  ]
}

This endpoint retrieves the most recent domains that have been associated with the specified IP.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/domains

Response Parameters

Parameter Optional? Description
domain No
first_seen No The date the domain was first seen associated to the IP.
last_seen No The date the domain was last seen associated to the IP.
curl "https://api.emergingthreats.net/v1/ips/{ip}/events"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/events"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "ip": "208.111.161.254",
      "date": "2014-04-08",
      "source": false,
      "sid": "2008365",
      "signature": "ET TROJAN Playtech Downloader Online Gaming Checkin",
      "count": 1
    },
    {
      "ip": "208.111.161.254",
      "date": "2014-04-02",
      "source": false,
      "sid": "2008365",
      "signature": "ET TROJAN Playtech Downloader Online Gaming Checkin",
      "count": 1
    }
  ]
}

This endpoint retrieves the most recent IDS events that have been observed against the specified IP.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/events

Response Parameters

Parameter Optional? Description
ip No The string representation of the IP address, or "private" if it was a private IP.
date No The date the IDS event was observed.
source No Indicates whether the IP was the source of the IDS event.
sid No The SID that generated the IDS event.
signature No The signature name of the SID that generated the IDS event.
count No How many times this particular IDS event was observed in our sensor net for the given date.

Get IP geolocation info

curl "https://api.emergingthreats.net/v1/ips/{ip}/geoloc"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/geoloc"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "ip": "216.38.198.78",
      "country_code": "US",
      "country": "United States",
      "region": "CO",
      "city": "Henderson",
      "latitude": 39.88650131225586,
      "longitude": -104.88099670410156
    }
  ]
}

This endpoint retrieves geolocation info for a single IP address.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/geoloc

Response Parameters

Parameter Optional? Description
ip No The IP address specified.
country_code No The two character ISO 3166-1 alpha-2 country code in which the IP was last observed.
country Yes The country in which the IP was last observed.
region Yes A two character ISO-3166-2 or FIPS 10-4 code for the state or region associated with the IP.
city Yes The city or town name associated with the IP.
latitude Yes The latitude associated with the IP.
longitude Yes The longitude associated with the IP.

Get IP ASN Info New

curl "https://api.emergingthreats.net/v1/ips/{ip}/asn"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/ips/{ip}/asn"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
    "success": true,
    "response": {
        "asn": 15169,
        "owner": "GOOGLE",
        "authorizer": "arin",
        "country": "US",
        "registration_date": "2000-03-30",
        "reverse_lookup": "google-public-dns-a.google.com"
    }
}

This endpoint retrieves asn info for a single IP address.

HTTP Request

GET https://api.emergingthreats.net/v1/ips/{ip}/asn

Response Parameters

Parameter Optional? Description
asn No The 16 bit autonomous system number (ASN).
owner No The owner of the ASN.
authorizer Yes The authorizing body of ASN.
country Yes The country of origin.
registration_date Yes The date of ASN registration.
reverse_lookup Yes The reverse lookup address for an ASN.

Malware InformationBETA

Get Malware Family Information

curl "https://api.emergingthreats.net/v1/malware/{malware_family}"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/malware/{malware_family}"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
    "success": true,
    "response": {
        "name": "SocGholish",
        "description": "**SocGholish** is the name given to a malicious HTML injection written in JavaScript..."
    }
}

This endpoint retrieves the biographical information that PFPT has compiled on the malware families listed in the rule metadata. Please follow the spelling and capitalization format found in the rule to ensure the response is valid. E.G. SocGholish

HTTP Request

GET https://api.emergingthreats.net/v1/malware/{malware_family}

Response Parameters

Parameter Optional? Description
name No The name of Malware family.
description No The description of Malware Family.

This will return information on malware families. The only variable here is the malware family name which can be found on the rule’s metadata (e.g. Socghoulish)

Malware Samples

Get sample details

curl "https://api.emergingthreats.net/v1/samples/{md5}"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/samples/{md5}"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": {
    "md5sum": "fa86e86e9dfb7a4571b3c3091fbf4bff",
    "submit_date": "2012-06-11 04:00:00",
    "file_type": "PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit",
    "file_size": 69459,
    "sha256": "e12012672d33cbcb22cf953ff787af250f8f5e920c565f03d4496a619c13a889"
  }
}

This endpoint retrieves metadata information for a single malware sample.

HTTP Request

GET https://api.emergingthreats.net/v1/samples/{md5}

Response Parameters

Parameter Optional? Description
md5 No The MD5 hash of the binary.
submit_date No The date and time the malware was originally submitted to Emerging Threats; format is yyyy-MM-dd HH:mm:ss
file_type Yes
file_size Yes The size of the binary in bytes.
sha256 Yes The SHA-256 hash of the binary.

Get sample connections

curl "https://api.emergingthreats.net/v1/samples/{md5}/connections"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/samples/{md5}/connections"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-03-31",
      "source_ip": "10.10.10.104",
      "destination_ip": "178.254.11.36",
      "source_port": 49382,
      "destination_port": 80,
      "bytes_down": 508,
      "bytes_up": 306,
      "bytes_total": 814,
      "packets_down": 4,
      "packets_up": 6,
      "packets_total": 10,
      "protocol": "tcp"
    },
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-03-31",
      "source_ip": "10.10.10.104",
      "destination_ip": "208.117.232.117",
      "source_port": 49381,
      "destination_port": 80,
      "bytes_down": 0,
      "bytes_up": 0,
      "bytes_total": 0,
      "packets_down": 2,
      "packets_up": 4,
      "packets_total": 6,
      "protocol": "tcp"
    }
  ]
}

This endpoint retrieves the most recent connections an individual malware sample was observed to have made.

HTTP Request

GET https://api.emergingthreats.net/v1/samples/{md5}/connections

Response Parameters

Parameter Optional? Description
source No The source of the connection.
date No The date the connection was observed.
source_ip No The source IP of the traffic associated with the connection.
destination_ip No The destination IP of the traffic associated with the connection.
source_port No The source port of the traffic associated with the connection.
destination_port No The destination port of the traffic associated with the connection.
bytes_down Yes The total number of bytes downloaded via this connection.
bytes_up Yes The total number of bytes uploaded via this connection.
bytes_total Yes The total number of bytes transmitted via this connection.
packets_down Yes The total number of packets downloaded via this connection.
packets_up Yes The total number of packets uploaded via this connection.
packets_total Yes The total number of packets transmitted via this connection.
protocol Yes The communication protocol associated with this connection (e.g. tcp, udp).

Get sample dns lookups

curl "https://api.emergingthreats.net/v1/samples/{md5}/dns"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/samples/{md5}/dns"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-04-02",
      "domain": "partirenimmobilier.fr",
      "address": "10.10.10.1",
      "record_type": "A"
    },
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-04-02",
      "domain": "www.fredianipueyrredon.com.ar",
      "address": "10.10.10.1",
      "record_type": "A"
    }
  ]
}

This endpoint retrieves the most recent dns lookups an individual malware sample was observed to have made.

HTTP Request

GET https://api.emergingthreats.net/v1/samples/{md5}/dns

Response Parameters

Parameter Optional? Description
source No The source of the dns lookup.
date No The date the lookup was observed.
domain No The domain whose DNS record was being queried.
answer Yes If the DNS response was not an A record pointing to an IP, this field will contain the DNS query response (e.g. the CNAME).
address Yes If the DNS response was an A record pointing to an IP, this field will contain the IP in question.
record_type Yes The DNS record type (e.g. A, CNAME, etc.)

Get sample http requests

curl "https://api.emergingthreats.net/v1/samples/{md5}/http"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/samples/{md5}/http"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-04-02",
      "domain": "vicaire.fr",
      "source_ip": "10.10.10.102",
      "destination_ip": "10.10.10.1",
      "source_port": 49367,
      "destination_port": 80,
      "method": "GET",
      "url": "/images/1/filenames.php",
      "user_agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
    },
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-04-02",
      "domain": "www.danielalmeida.adv.br",
      "source_ip": "10.10.10.102",
      "destination_ip": "10.10.10.1",
      "source_port": 49351,
      "destination_port": 80,
      "method": "GET",
      "url": "/images/1/filenames.php",
      "user_agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
    }
  ]
}

This endpoint retrieves the most recent http requests an individual malware sample was observed to have made.

HTTP Request

GET https://api.emergingthreats.net/v1/samples/{md5}/http

Response Parameters

Parameter Optional? Description
source No The source of the http request.
date No The date the request was observed.
domain No The domain the request was destined for.
source_ip No The source IP of the http request.
destination_ip No The IP the request was destined for.
source_port Yes The source port of the traffic associated with the request.
destination_port Yes The port the request was destined for.
method Yes The HTTP method used in the request.
url Yes The URL requested.
user_agent Yes The user agent string associated with the request.

Get sample IDS events

curl "https://api.emergingthreats.net/v1/samples/{md5}/events"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/samples/{md5}/events"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-04-02",
      "sid": 2010228,
      "source_ip": "10.10.10.102",
      "destination_ip": "10.10.10.1",
      "source_port": 49191,
      "destination_port": 80,
      "revision": "7",
      "signature_name": "ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected"
    },
    {
      "source": "177f3c8a2623d4efb41b0020d680be83",
      "date": "2014-03-31",
      "sid": 2001117,
      "source_ip": "10.10.10.1",
      "destination_ip": "10.10.10.104",
      "source_port": 53,
      "destination_port": 51394,
      "revision": "6",
      "signature_name": "ET DNS Standard query response, Name Error"
    }
  ]
}

This endpoint retrieves the most recent IDS events an individual malware sample was observed to have triggered.

HTTP Request

GET https://api.emergingthreats.net/v1/samples/{md5}/events

Response Parameters

Parameter Optional? Description
source No The source of the event.
date No The date the event was observed.
sid No The SID associated with the event.
source_ip No The source IP of the traffic associated with the event.
destination_ip No The destination IP of the traffic associated with the event.
source_port No The source port of the traffic associated with the event.
destination_port No The destination port of the traffic associated with the event.
revision Yes The rule revision of the SID in question.
signature_name Yes The name of the signature associated with this SID.

Signature Information

Get Signature name

curl "https://api.emergingthreats.net/v1/sids/{sid}"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": {
    "sid": 2007771,
    "sig_name": "ET TROJAN Pushdo Update URL Detected"
  }

}

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}

Response Parameters

Parameter Optional? Description
sid no Signature id that reflects request
sig_name no Name of the signature requested

This endpoint retrieves the signature name for a particular Signature (SID).

curl "https://api.emergingthreats.net/v1/sids/{sid}/ips"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}/ips"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

Request Parameters

Parameter Optional? Description
sortBy Yes Valid values: "ip" and "last_seen", controls the field results are ordered by. Default is "last_seen" if no value or invalid value provided
sortDirection Yes Valid values of "ASC" and "DESC", descending is the default if no value provided, or invalid value

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "long_ip": 16909060,
      "ip": "1.2.3.4",
      "first_seen": "2012-04-01",
      "last_seen": "2014-02-05"
    },
    {
      "long_ip": 16909061,
      "ip": "1.2.3.5",
      "first_seen": "2013-12-22",
      "last_seen": "2014-08-17"
    }
  ]
}

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}/ips

Response Parameters

Parameter Optional? Description
long_ip no Long number representation of an IP address
ip no Dotted notation representation of an IP address
first_seen no Date the IP was first observed for this SID
last_seen no Date the IP was last observed for this SID

This endpoint retrieves the IPs related to a particular Signature (SID).

Get domain SID

curl "https://api.emergingthreats.net/v1/sids/{sid}/domains"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}/domains"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "domain": "wr.example.com",
      "first_seen": "2012-04-01",
      "last_seen": "2014-02-05"
    },
    {
      "domain": "cc.example.com",
      "first_seen": "2013-12-22",
      "last_seen": "2014-08-17"
    }
  ]
}

This endpoint retrieves the Domains related to a particular Signature (SID).

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}/domains

Response Parameters

Parameter Optional? Description
domain no Domain name
first_seen no Date the IP was first observed for this SID
last_seen no Date the IP was last observed for this SID
curl "https://api.emergingthreats.net/v1/sids/{sid}/samples"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}/samples"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response": [
    {
      "source": "45999bfea907bf37acbab63d5d9ea683",
      "first_seen": "2014-02-13",
      "last_seen": "2014-02-13"
    },
    {
      "source": "f75da3cd3a38aadebdcf86eb53c6eb1c",
      "first_seen": "2014-02-13",
      "last_seen": "2014-02-13"
    }
  ]
}

This endpoint retrieves the most recent malware samples that communicated with the specified sid.

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}/samples

Response Parameters

Parameter Optional? Description
source No The md5sum of the malware sample.
first_seen No The date the malware sample was first seen associated to the SID.
last_seen No The date the malware sample was last seen associated to the SID.

Get Signature Text

curl "https://api.emergingthreats.net/v1/sids/{sid}/text"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}/text"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success":true,
  "response":
    {
      "sid":2000005,
      "suricata_text":"alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:\"ET EXPLOIT Cisco Telnet Buffer Overflow\"; flow: to_server,established; content:\"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|\"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:7;)",
      "snort_text":"alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:\"ET EXPLOIT Cisco Telnet Buffer Overflow\"; flow: to_server,established; content:\"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|\"; detection_filter: track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:8;)"
    }
}

This endpoint retrieves the most recent documentation available for the specified sid. If you do not have access to the rule requested (i.e. the rule is for ETPro and you do not have an ETPro subscription, this will return a 403 Forbidden.

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}/text

Response Parameters

Parameter Optional? Description
sid No Sid that was requested
suricata_text Yes Example of the rule for Suricata
snort_text Yes Example of rule for Snort 2.9

Get Signature documentation

curl "https://api.emergingthreats.net/v1/sids/{sid}/documentation"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}/documentation"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success": true,
  "response":
    {
      "sid": 2000005,
      "summary": "This alert is triggered when an attempt is made to exploit a vulnerability in a system or application.",
      "description": "An EXPLOIT Attempt event likely occurs when an attacker has attempted to gain
      unauthorized access to an asset or service by exploiting a direct vulnerability in an application or
      operating system. A successful exploitation of an asset or service may lead to malicious code being left
      behind to facilitate remote control. Further investigation may be needed to ascertain if an attacker successfully exploited this asset or service.",
      "impact": "Compromised Server"
    }
}

This endpoint retrieves the most recent documentation available for the specified sid.

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}/documentation

Response Parameters

Parameter Optional? Description
sid No Sid that was requested
summary No Summary of the information this alert is trying to convey.
description No Detailed description of the exploit being caught.
impact No What kinds of systems does this impact

Get Signature references

curl "https://api.emergingthreats.net/v1/sids/{sid}/references"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/sids/{sid}/references"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
  "success":true,
  "response":
    [
      {
        "reference_type":"url",
        "reference_description":"HTTP URL",
        "reference_urls":
          [
            "http://doc.emergingthreats.net/bin/view/Main/2000005",
            "http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml"
          ]
      }
    ]
}

This endpoint retrieves lookup references for this SID.

HTTP Request

GET https://api.emergingthreats.net/v1/sids/{sid}/references

Response Parameters

Parameter Optional? Description
reference_type No The type of reference this refers to, as a key
reference_description No Plain text description of the reference type
reference_urls No List of urls to references

Threat Actor InformationBETA

Get Threat Actor Bio Information

curl "https://api.emergingthreats.net/v1/actors/{threatactor}"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/actors/{threatactor}"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response should look something like:

{
    "success": true,
    "response": {
        "name": "TA453",
        "description": "**Name**\n\nTA453\n\n**Other Names**\n \nCurrent names: CharmingKitten, Phosphorus..."
    }
}

This endpoint retrieves the biographical information that PFPT has compiled on the threat actor listed in the rule metadata. Please follow the spelling and capitalization format found in the rule to ensure the response is valid. E.G. TA453

HTTP Request

GET https://api.emergingthreats.net/v1/actors/{threatactor}

Response Parameters

Parameter Optional? Description
name No The name of Threat actor.
description No The description of Threat Actor.

This will return information on threat actors. The only variable here is the TA name which can be found on the rule’s metadata (e.g. TA453)

Trends InformationBETA

curl "https://api.emergingthreats.net/v1/actors/{tag-name}/{report-name}"
  -H "Authorization: SECRETKEY"
import requests
api_key = "SECRETKEY"
url = "https://api.emergingthreats.net/v1/actors/{tag-name}/{report-name}"
headers = {'Authorization': f'{api_key}'}
response = requests.get(url, headers=headers)
print(response.json())

The JSON response for cve/rolling-count should look something like:

{
    "success": true,
    "timestamp": "2023-12-05-21:19:15",
    "message_id": "req212112229",
    "response": [
        {
            "tag": "CVE-2021-35394",
            "today-rank": 1,
            "seven-day-rank": 1,
            "thirty-day-rank": 2,
            "ninety-day-rank": 2
        },
        {
            "tag": "CVE-2017-9841",
            "today-rank": 2,
            "seven-day-rank": 2,
            "thirty-day-rank": 3,
            "ninety-day-rank": 3
        }
      ]
}

The JSON response for cve/summaries should look something like:

{
    "success": true,
    "timestamp": "2023-12-05-21:19:15",
    "message_id": "req212112229",
    "response": [
          {
            "tag": "CVE-2021-44228",
            "event-rank": 1
        }
      ]
}

The JSON response for cve/activities should look something like:

{
    "success": true,
    "timestamp": "2023-12-05-21:19:15",
    "message_id": "req212112229",
    "response": [
        {
            "tag": "CVE-2023-27350",
            "current-week-activity-rank": 1,
            "previous-week-activity-rank": 2
        }
      ]
}

This endpoint will provide the ET Intel trends in malware activity, threat actor activity, and CVE exploit trends ranked by ET Pro signature fire volume.

HTTP Request

GET https://api.emergingthreats.net/v1/tags/{tag-name}/{report-name}

Request Parameters

tag-name Description
cve The top ranked CVE exploit attempts observed today.
malware The top ranked malware families observed today.
threat-actor The top ranked threat actors observed today.
Report-name Description
rolling-count Provides the ranking from today, last week, 30 days ago, and 90 days ago.
summaries Provides today’s signature fire volume ranking for today.
activities Provides the week over week ranking based on volume.

Response Parameters for cve/rolling-count parameter combination

Parameter Optional? Description
tag No The name/id of CVE exploit.
today-rank No CVE exploit ranking from today.
seven-day-rank No 7 day ranking for CVE exploit.
thirty-day-rank No 30 day ranking for CVE exploit.
ninety-day-rank No 90 day ranking for CVE exploit.

Response Parameters for cve/summaries parameter combination

Parameter Optional? Description
tag No The name/id of CVE exploits.
event-rank No Event ranking for CVE Exploits.

Response Parameters for cve/activities parameter combination

Parameter Optional? Description
tag No The name/id of CVE exploit.
current-week-activity-rank No Current week activity ranking for CVE exploit.
previous-week-activity-rank No Previous week activity ranking for CVE exploit.

Similarily the response parameters are same for other tag-name/report-name combinations

Errors

The ET Intelligence API uses the following error codes:

Error Code Meaning
401 Unauthorized -- You did not provide an API key.
403 Forbidden -- The API key does not have access to the requested action or your subscription has elapsed.
404 Not Found -- The requested action does not exist.
408 Request Timeout -- The request took too long to complete on our side. Please reduce the amount of information you are requesting, or try again later.
429 Rate Limit Exceeded -- You have exceeded your provisioned rate limit. If this becomes a regular occurrence, please contact sales to have your rate limit increased.
500 Internal Server Error -- We had a problem internal to our systems. Please try again later.