This site uses cookies in accordance with our Privacy Policy.
GET /api/intelligence/v2/ips
The default query will return the entire IP data set along with all meta data and aggregate columns.
Filter the results to a given IP range:
GET /api/intelligence/v2/ips?ip=192.168.*
GET /api/intelligence/v2/ips?ip=192.168.1.1
Querying by ASN can be useful for organizations looking to identify IPs attacking within a given IP block or blocks.
Querying using a single ASN:
GET /api/intelligence/v2/ips?asn=1234
Querying for multiple ASNs:
GET /api/intelligence/v2/ips?asn[]=1234&asn[]=5678
Exact string matching for city, country.
GET /api/intelligence/v2/ips?city=Seattle
GET /api/intelligence/v2/ips?country=US
Fuzzy matching for organization, ISP.
GET /api/intelligence/v2/ips?org=Amazon
GET /api/intelligence/v2/ips?org=Amazon*
GET /api/intelligence/v2/ips?isp=Amazon
GET /api/intelligence/v2/ips?isp=Amazon*
Can be useful for identifying IPs attacking within a given network or cloud service that is not necessarily contained within a given ASN or ASNs.
GET /api/intelligence/v2/ips?ptr=*.compute.amazonaws.com
Returns IPs with attack counts greater than (or equal to) and less than (or equal to) the supplied integer. Attack counts are organized into fields by category and time range. They can be queried using parameters in following format:
?{category}_{time-range}_{operator}
List of attack total categories:
unique_sites
– Unique sites attacked by this IP address.brute_force
– Brute force/credential stuffing/automated login attempts.waf_attack
– Web-based attacks/exploit attempts blocked by our web application firewall.xss
– Cross-site scripting attacks.sqli
– SQL injection attacks.lfi
– Local file inclusion attacks.rce
– Remote code execution attacks (includes malicious file uploads).directory_traversal
– Directory traversal attacks (includes local file read attacks).xxe
– External entity expansion attacks.obji
– PHP object injection attacks.options_update
– WordPress option update attacks (used for site takeover).priv_esc
– WordPress privilege escalation attacks.auth_bypass
– Authentication bypass attacks.List of time ranges:
4hour
– Attack counts within the last 4 hours.1day
– Attack counts within the last day.7day
– Attack counts within the last 7 days.30day
– Attack counts within the last 30 days.List of operators:
gt
– Attack counts greater than the supplied amount.gte
– Attack counts greater than or equal to the supplied amount.lt
– Attack counts less than supplied amount.lte
– Attack counts less than or equal to the supplied amount.IPs that have attacked 30 or more sites within the past 30 days:
GET /api/intelligence/v2/ips?unique_sites_30day_gte=30
IPs that have attacked a single site with 100 or more automated login attempts within the past 30 days:
GET /api/intelligence/v2/ips?unique_sites_30day_lte=1&brute_force_30day_gte=100
Use a comma-separated list of fields to be returned in your result set. Can be useful restrict the size of the result set to just the fields you need.
GET /api/intelligence/v2/ips?fields=field1,field2,field3
Returns only the IP address for your query:
GET /api/intelligence/v2/ips?fields=ip
Sort the result set by organization in descending order:
GET /api/intelligence/v2/ips?sort=org&direction=asc
Result set is capped at 5000 IPs:
GET /api/intelligence/v2/ips?limit=5000
Content-Type
Including the plain
parameter will cause the Content-Type
header in the response to be set to text/plain
as opposed to the default of text/csv
. This is useful when wanting to view the feed directly in a browser as plain text.
GET /api/intelligence/v2/ips?plain
Top 10 IPs with the most brute force attacks (automated login attempts) within the last day:
GET /api/intelligence/v2/ips?limit=10&sort=brute_force_1day
List of IP addresses with any exploit attempts in the last 4 hours:
GET /api/intelligence/v2/ips?waf_attack_4hour_gte=1
Top 100 attacking IPs from the Russian Federation within the last week:
GET /api/intelligence/v2/ips?limit=100&country=RU&sort=waf_attack_7day
List of all IP addresses attacking WordPress websites in the country of Finland:
GET /api/intelligence/v2/ips?country=FI&fields=ip
List of all AWS EC2 instances attacking WordPress websites:
GET /api/intelligence/v2/ips?ptr=*.compute.amazonaws.com&fields=ip