API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Intel

IntelASN

Get ASN Overview.

GET/accounts/{account_id}/intel/asn/{asn}

IntelASNSubnets

Get ASN Subnets

GET/accounts/{account_id}/intel/asn/{asn}/subnets

ModelsExpand Collapse

SubnetGetResponse { asn, count, ip_count_total, 3 more }

asn: optional ASN

count: optional number

Total results returned based on your search parameters.

ip_count_total: optional number

page: optional number

Current page within paginated list of results.

per_page: optional number

Number of results per page of results.

subnets: optional array of string

IntelDNS

Get Passive DNS by IP

GET/accounts/{account_id}/intel/dns

ModelsExpand Collapse

DNS { count, page, per_page, reverse_records }

count: optional number

Total results returned based on your search parameters.

page: optional number

Current page within paginated list of results.

per_page: optional number

Number of results per page of results.

reverse_records: optional array of { first_seen, hostname, last_seen }

Reverse DNS look-ups observed during the time period.

first_seen: optional string

First seen date of the DNS record during the time period.

formatdate

hostname: optional string

Hostname that the IP was observed resolving to.

last_seen: optional string

Last seen date of the DNS record during the time period.

formatdate

IntelDomains

Get Domain Details

GET/accounts/{account_id}/intel/domain

ModelsExpand Collapse

Domain { additional_information, application, content_categories, 8 more }

additional_information: optional { suspected_malware_family }

Additional information related to the host name.

suspected_malware_family: optional string

Suspected DGA malware family.

application: optional { id, name }

Application that the hostname belongs to.

id: optional number

name: optional string

content_categories: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

domain: optional string

inherited_content_categories: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

inherited_from: optional string

Domain from which inherited_content_categories and inherited_risk_types are inherited, if applicable.

inherited_risk_types: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

popularity_rank: optional number

Global Cloudflare 100k ranking for the last 30 days, if available for the hostname. The top ranked domain is 1, the lowest ranked domain is 100,000.

resolves_to_refs: optional array of { id, value }

Specifies a list of references to one or more IP addresses or domain names that the domain name currently resolves to.

id: optional string

STIX 2.1 identifier: https://docs.oasis-open.org/cti/stix/v2.1/cs02/stix-v2.1-cs02.html#_64yvzeku5a5c.

value: optional string

IP address or domain name.

risk_score: optional number

Hostname risk score, which is a value between 0 (lowest risk) to 1 (highest risk).

risk_types: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

IntelDomainsBulks

Get Multiple Domain Details

GET/accounts/{account_id}/intel/domain/bulk

ModelsExpand Collapse

BulkGetResponse = array of { additional_information, application, content_categories, 7 more }

additional_information: optional { suspected_malware_family }

Additional information related to the host name.

suspected_malware_family: optional string

Suspected DGA malware family.

application: optional { id, name }

Application that the hostname belongs to.

id: optional number

name: optional string

content_categories: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

domain: optional string

inherited_content_categories: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

inherited_from: optional string

Domain from which inherited_content_categories and inherited_risk_types are inherited, if applicable.

inherited_risk_types: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

popularity_rank: optional number

Global Cloudflare 100k ranking for the last 30 days, if available for the hostname. The top ranked domain is 1, the lowest ranked domain is 100,000.

risk_score: optional number

Hostname risk score, which is a value between 0 (lowest risk) to 1 (highest risk).

risk_types: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

IntelDomain History

Get Domain History

GET/accounts/{account_id}/intel/domain-history

ModelsExpand Collapse

DomainHistory { categorizations, domain }

categorizations: optional array of { categories, end, start }

categories: optional array of { id, name }

id: optional number

name: optional string

end: optional string

formatdate

start: optional string

formatdate

domain: optional string

DomainHistoryGetResponse = array of DomainHistory { categorizations, domain }

categorizations: optional array of { categories, end, start }

categories: optional array of { id, name }

id: optional number

name: optional string

end: optional string

formatdate

start: optional string

formatdate

domain: optional string

IntelIPs

Get IP Overview

GET/accounts/{account_id}/intel/ip

ModelsExpand Collapse

IP { belongs_to_ref, ip, risk_types }

belongs_to_ref: optional { id, country, description, 2 more }

Specifies a reference to the autonomous systems (AS) that the IP address belongs to.

id: optional string

country: optional string

description: optional string

type: optional "hosting_provider" or "isp" or "organization"

Infrastructure type of this ASN.

One of the following:

"hosting_provider"

"isp"

"organization"

value: optional string

ip: optional string

formatipv4

risk_types: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

IPGetResponse = array of IP { belongs_to_ref, ip, risk_types }

belongs_to_ref: optional { id, country, description, 2 more }

Specifies a reference to the autonomous systems (AS) that the IP address belongs to.

id: optional string

country: optional string

description: optional string

type: optional "hosting_provider" or "isp" or "organization"

Infrastructure type of this ASN.

One of the following:

"hosting_provider"

"isp"

"organization"

value: optional string

ip: optional string

formatipv4

risk_types: optional array of { id, name, super_category_id }

id: optional number

name: optional string

super_category_id: optional number

IntelIP Lists

ModelsExpand Collapse

IPList { id, description, name }

id: optional number

description: optional string

name: optional string

IntelMiscategorizations

Create Miscategorization

POST/accounts/{account_id}/intel/miscategorization

ModelsExpand Collapse

MiscategorizationCreateResponse { errors, messages, success }

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.

IntelWhois

Get WHOIS Record

GET/accounts/{account_id}/intel/whois

ModelsExpand Collapse

Whois { created_date, domain, nameservers, 6 more }

created_date: optional string

formatdate

domain: optional string

nameservers: optional array of string

registrant: optional string

registrant_country: optional string

registrant_email: optional string

registrant_org: optional string

registrar: optional string

updated_date: optional string

formatdate

WhoisGetResponse { dnssec, domain, extension, 84 more }

dnssec: boolean

domain: string

extension: string

found: boolean

nameservers: array of string

punycode: string

registrant: string

registrar: string

id: optional string

administrative_city: optional string

administrative_country: optional string

administrative_email: optional string

administrative_fax: optional string

administrative_fax_ext: optional string

administrative_id: optional string

administrative_name: optional string

administrative_org: optional string

administrative_phone: optional string

administrative_phone_ext: optional string

administrative_postal_code: optional string

administrative_province: optional string

administrative_referral_url: optional string

administrative_street: optional string

billing_city: optional string

billing_country: optional string

billing_email: optional string

billing_fax: optional string

billing_fax_ext: optional string

billing_id: optional string

billing_name: optional string

billing_org: optional string

billing_phone: optional string

billing_phone_ext: optional string

billing_postal_code: optional string

billing_province: optional string

billing_referral_url: optional string

billing_street: optional string

created_date: optional string

formatdate-time

created_date_raw: optional string

expiration_date: optional string

formatdate-time

expiration_date_raw: optional string

registrant_city: optional string

registrant_country: optional string

registrant_email: optional string

registrant_fax: optional string

registrant_fax_ext: optional string

registrant_id: optional string

registrant_name: optional string

registrant_org: optional string

registrant_phone: optional string

registrant_phone_ext: optional string

registrant_postal_code: optional string

registrant_province: optional string

registrant_referral_url: optional string

registrant_street: optional string

registrar_city: optional string

registrar_country: optional string

registrar_email: optional string

registrar_fax: optional string

registrar_fax_ext: optional string

registrar_id: optional string

registrar_name: optional string

registrar_org: optional string

registrar_phone: optional string

registrar_phone_ext: optional string

registrar_postal_code: optional string

registrar_province: optional string

registrar_referral_url: optional string

registrar_street: optional string

status: optional array of string

technical_city: optional string

technical_country: optional string

technical_email: optional string

technical_fax: optional string

technical_fax_ext: optional string

technical_id: optional string

technical_name: optional string

technical_org: optional string

technical_phone: optional string

technical_phone_ext: optional string

technical_postal_code: optional string

technical_province: optional string

technical_referral_url: optional string

technical_street: optional string

updated_date: optional string

formatdate-time

updated_date_raw: optional string

whois_server: optional string

IntelIndicator Feeds

Get indicator feeds owned by this account

GET/accounts/{account_id}/intel/indicator-feeds

Get indicator feed metadata

GET/accounts/{account_id}/intel/indicator-feeds/{feed_id}

Create new indicator feed

POST/accounts/{account_id}/intel/indicator-feeds

Update indicator feed metadata

PUT/accounts/{account_id}/intel/indicator-feeds/{feed_id}

Get indicator feed data

GET/accounts/{account_id}/intel/indicator-feeds/{feed_id}/data

ModelsExpand Collapse

IndicatorFeedListResponse { id, created_on, description, 5 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

name: optional string

The name of the indicator feed

IndicatorFeedGetResponse { id, created_on, description, 8 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

latest_upload_status: optional "Mirroring" or "Unifying" or "Loading" or 3 more

Status of the latest snapshot uploaded

One of the following:

"Mirroring"

"Unifying"

"Loading"

"Provisioning"

"Complete"

"Error"

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

name: optional string

The name of the indicator feed

provider_id: optional string

The unique identifier for the provider

provider_name: optional string

The provider of the indicator feed

IndicatorFeedCreateResponse { id, created_on, description, 5 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

name: optional string

The name of the indicator feed

IndicatorFeedUpdateResponse { id, created_on, description, 5 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

name: optional string

The name of the indicator feed

IndicatorFeedDataResponse = string

IntelIndicator FeedsSnapshots

Update indicator feed data

PUT/accounts/{account_id}/intel/indicator-feeds/{feed_id}/snapshot

ModelsExpand Collapse

SnapshotUpdateResponse { file_id, filename, status }

file_id: optional number

Feed id

filename: optional string

Name of the file unified in our system

status: optional string

Current status of upload, should be unified

IntelIndicator FeedsPermissions

List indicator feed permissions

GET/accounts/{account_id}/intel/indicator-feeds/permissions/view

Grant permission to indicator feed

PUT/accounts/{account_id}/intel/indicator-feeds/permissions/add

Revoke permission to indicator feed

PUT/accounts/{account_id}/intel/indicator-feeds/permissions/remove

ModelsExpand Collapse

PermissionListResponse = array of { id, description, is_attributable, 3 more }

id: optional number

The unique identifier for the indicator feed

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

name: optional string

The name of the indicator feed

PermissionCreateResponse { success }

success: optional boolean

Whether the update succeeded or not

PermissionDeleteResponse { success }

success: optional boolean

Whether the update succeeded or not

IntelIndicator FeedsDownloads

IntelSinkholes

List sinkholes owned by this account

GET/accounts/{account_id}/intel/sinkholes

ModelsExpand Collapse

Sinkhole { id, account_tag, created_on, 4 more }

id: optional number

The unique identifier for the sinkhole

account_tag: optional string

The account tag that owns this sinkhole

created_on: optional string

The date and time when the sinkhole was created

formatdate-time

modified_on: optional string

The date and time when the sinkhole was last modified

formatdate-time

name: optional string

The name of the sinkhole

r2_bucket: optional string

The name of the R2 bucket to store results

r2_id: optional string

The id of the R2 instance

IntelAttack Surface Report

IntelAttack Surface ReportIssue Types

Retrieves Security Center Issues Types

GET/accounts/{account_id}/intel/attack-surface-report/issue-types

ModelsExpand Collapse

IssueTypeGetResponse = string

IntelAttack Surface ReportIssues

Retrieves Security Center Issues

Deprecated

GET/accounts/{account_id}/intel/attack-surface-report/issues

Retrieves Security Center Issue Counts by Class

Deprecated

GET/accounts/{account_id}/intel/attack-surface-report/issues/class

Retrieves Security Center Issue Counts by Severity

Deprecated

GET/accounts/{account_id}/intel/attack-surface-report/issues/severity

Retrieves Security Center Issue Counts by Type

Deprecated

GET/accounts/{account_id}/intel/attack-surface-report/issues/type

Archives Security Center Insight

Deprecated

PUT/accounts/{account_id}/intel/attack-surface-report/{issue_id}/dismiss

ModelsExpand Collapse

IssueType = "compliance_violation" or "email_security" or "exposed_infrastructure" or 3 more

One of the following:

"compliance_violation"

"email_security"

"exposed_infrastructure"

"insecure_configuration"

"weak_authentication"

"configuration_suggestion"

SeverityQueryParam = "low" or "moderate" or "critical"

One of the following:

"low"

"moderate"

"critical"

IssueListResponse { count, issues, page, per_page }

count: optional number

Indicates the total number of results.

issues: optional array of { id, dismissed, issue_class, 8 more }

id: optional string

dismissed: optional boolean

issue_class: optional string

issue_type: optional IssueType

payload: optional { detection_method, zone_tag }

detection_method: optional string

Describes the method used to detect insight.

zone_tag: optional string

resolve_link: optional string

resolve_text: optional string

severity: optional "Low" or "Moderate" or "Critical"

One of the following:

"Low"

"Moderate"

"Critical"

since: optional string

formatdate-time

subject: optional string

timestamp: optional string

formatdate-time

page: optional number

Specifies the current page within paginated list of results.

per_page: optional number

Sets the number of results per page of results.

maximum1000

minimum1

IssueClassResponse = array of { count, value }

count: optional number

value: optional string

IssueSeverityResponse = array of { count, value }

count: optional number

value: optional string

IssueTypeResponse = array of { count, value }

count: optional number

value: optional string

IssueDismissResponse { errors, messages, success }

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.