The default query will return the entire IP data set along with all meta data and aggregate columns.
Filter the results to a given IP range:
Querying by ASN can be useful for organizations looking to identify IPs attacking within a given IP block or blocks.
Querying using a single ASN:
Querying for multiple ASNs:
Exact string matching for city, country.
GET /api/intelligence/v2/ips?city=Seattle GET /api/intelligence/v2/ips?country=US
Fuzzy matching for organization, ISP.
GET /api/intelligence/v2/ips?org=Amazon GET /api/intelligence/v2/ips?org=Amazon* GET /api/intelligence/v2/ips?isp=Amazon GET /api/intelligence/v2/ips?isp=Amazon*
Can be useful for identifying IPs attacking within a given network or cloud service that is not necessarily contained within a given ASN or ASNs.
Returns IPs with attack counts greater than (or equal to) and less than (or equal to) the supplied integer. Attack counts are organized into fields by category and time range. They can be queried using parameters in following format:
List of attack total categories:
unique_sites– Unique sites attacked by this IP address.
brute_force– Brute force/credential stuffing/automated login attempts.
waf_attack– Web-based attacks/exploit attempts blocked by our web application firewall.
xss– Cross-site scripting attacks.
sqli– SQL injection attacks.
lfi– Local file inclusion attacks.
rce– Remote code execution attacks (includes malicious file uploads).
directory_traversal– Directory traversal attacks (includes local file read attacks).
xxe– External entity expansion attacks.
obji– PHP object injection attacks.
options_update– WordPress option update attacks (used for site takeover).
priv_esc– WordPress privilege escalation attacks.
auth_bypass– Authentication bypass attacks.
List of time ranges:
4hour– Attack counts within the last 4 hours.
1day– Attack counts within the last day.
7day– Attack counts within the last 7 days.
30day– Attack counts within the last 30 days.
List of operators:
gt– Attack counts greater than the supplied amount.
gte– Attack counts greater than or equal to the supplied amount.
lt– Attack counts less than supplied amount.
lte– Attack counts less than or equal to the supplied amount.
IPs that have attacked 30 or more sites within the past 30 days:
IPs that have attacked a single site with 100 or more automated login attempts within the past 30 days:
Use a comma-separated list of fields to be returned in your result set. Can be useful restrict the size of the result set to just the fields you need.
Returns only the IP address for your query:
Sort the result set by organization in descending order:
Result set is capped at 5000 IPs:
plain parameter will cause the
Content-Type header in the response to be set to
text/plain as opposed to the default of
text/csv. This is useful when wanting to view the feed directly in a browser as plain text.
Top 10 IPs with the most brute force attacks (automated login attempts) within the last day:
List of IP addresses with any exploit attempts in the last 4 hours:
Top 100 attacking IPs from the Russian Federation within the last week:
List of all IP addresses attacking WordPress websites in the country of Finland:
List of all AWS EC2 instances attacking WordPress websites: