RISK IQ PassiveTotal
App Vendor: RiskIQ
Connector Category: Data Enrichment and Threat Intelligence
App Version in Orchestrate: 1.1.0
API Version: 2.3.0
About App
The RiskIQ PassiveTotal app allows security teams to integrate with the RiskIQ PassiveTotal enterprise application. Risk IQ Passive Total enables security analysts to investigate web data such as Passive DNS, WHOIS, SSL, hosts and host pairs, cookies, exposed services, ports, components, and other artifacts. This helps to identify the attacker, tools and systems used for attacking along with the indicators of compromise.
The RiskIQ PassiveTotal app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Create Artifact | This action creates an artifact using the project ID and the query parameters. |
Delete Artifact | This action deletes an artifact using the artifact ID. |
Add Tags to an Artifact | This action adds tags to an artifact. |
Get Tags for an Artifact | This action retrieves all the associated tags for an artifact. |
Get Whois Records | This action retrieves the WHOIS data for the specified domain. WHOIS provides information about who owns a domain and related information. |
Get Cookies | This action retrieves the host attribute cookies related to the query. |
Get Passive DNS records | This action retrieves the passive DNS records from active account sources. |
Set Bulk Classification Status | This action sets the classification status for the given domains. |
Get Bulk Classification Status | This action gets the classification status for the given domains. |
Set Classification Status | This action sets the classification status for a given domain. |
Set Compromised Status | This action indicates whether or not a given domain has ever been compromised. |
Set Dynamic DNS Status | This action sets whether or not a domain's DNS records are updated through the dynamic DNS. |
Get Dynamic DNS Status | This action indicates whether or not a domain's DNS records are updated through the dynamic DNS. |
Get Monitor Status | This action indicates whether or not a domain is monitored. |
Get Sinkhole Status | This action indicates whether or not an IP address is a sinkhole. |
Set Sinkhole Status | This action sets the status for an IP address to indicate whether or not it is a sinkhole. |
Get Artifacts For Tag | This action retrieves artifacts for a given tag. |
Get OSINT Bulk | This action retrieves bulk OSINT data for queries. |
Get Malware Data Bulk | This action retrieves bulk malware data for queries. |
Get Enrichment Data Bulk | This action retrieves bulk enrichment data for queries. |
Get Addresses by Component Name | This action retrieves the address hosts information by component name. |
Get Hosts by Component Name | This action retrieves the host information using the component name. |
Get Addresses by Cookie Domain | This action searches the cookies addresses information by cookie domain. |
Get Addresses by Cookie Name | This action is used search the addresses information by cookie name. |
Get Hosts by Cookie Domain | This action searches the cookies hosts information by cookie domain. |
Get Hosts by Cookie Name | This action searches the hosts information by cookie name. |
Get Trackers | This action retrieves the host attribute trackers. |
Get Artifact Tags | This action retrieves the tags of an artifact or artifacts. |
Update Artifact Tags | This action updates tags of an artifact. |
Delete Artifact Tags | This action deletes a set of tags from an artifact. |
Get SSL History | This action retrieves the SSL certificate history for a given certificate SHA-1 hash or IP address. |
Search SSL Certificates | This action searches the SSL certificates for a given query. |
Add Project Tags | This action adds tags to a project. |
Delete Project Tags | This action deletes tags from a project. |
Find Project | This action finds a project or projects using the search filter. |
Get Services | This action retrieves the exposed services on recently open ports for an IP address. |
Get Reputation | This action retrieves the reputation for a given domain, host or an IP address. |
Get Details for Intel Profile | This action retrieves the details for a given intel profile. |
Get Article Indicators | This action retrieves the indicators for the article specified. |
Get Article Details by Indicator | This action retrieves the details of the article by indicator. |
Get Article Details | This action retrieves the details of the article specified. It returns the guid, title, summary, tag and other information. |
Get All Articles | This action retrieves all the articles. |
Get Summary Data Card | This action retrieves a summary data card associated with the query. |
Find Artifacts | This action finds existing artifacts based on the filters passed. |
Get Compromised Status | This action indicates whether or not a given domain has ever been compromised. |
Get Classification Status | This action retrieves the classification status of a domain. |
Get OSINT | This action retrieves the OSINT (open source intelligence) data for a query. |
Get Malware | This action retrieves the malware data for a query. |
Get Enrichment Data | This action retrieves the enrichment data for a query. |
Get Alerts | This action retrieves all alerts associated with an artifact or a project. |
Get Sub-Domains | This action retrieves all the sub domains for a query. |
Configuration Parameters
The following configuration parameters are required for the RiskIQ PassiveTotal app to communicate with the RiskIQ PassiveTotal enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Username | Enter the RiskIQ username. Example: user@host.com | Text | Required | Note: You require Illuminate license level to access the APIs. |
API Key | Enter the RiskIQ API token for authentication. The supported maximum length is 64 characters. Example: 1231156778659867 | Password | Required |
Action: Create Artifact
This action creates an artifact using the project ID and the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Project ID | Enter the project ID that the artifact will associate with. Example: "cy716-9769-16cb-4660-6gt4b8n6" | Text | Required | |
Query | Enter the artifact query to create an artifact. Example: exampledomain.org | Text | Required | |
IOC Type | Enter the type of IOC. Example: "domain" | Text | Optional | |
Tags List | Enter the list of tags to add to the artifact. Example: ["exampletag1", "exampletag2"] | List | Optional |
Example Request
[
{
"project_id": "st56-8976-hg78-i254h-87hsfd6",
"query": "exampledomain.org",
"ioc_type": "domain",
"tag_list": "registered"
}
] |
Action: Delete Artifact
This action deletes an artifact using the artifact ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact ID | Enter the artifact ID for which the associated artifact is deleted. Example: "a872564-1111-176g-d422-e878ghhdfd" | Text | Required |
Example Request
[
{
"artifact": "646fb067-d2c6-4a3f-8686-cb7e72822bc0"
}
] |
Action: Add Tags to an Artifact
This action adds tags to an artifact.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact ID | Enter the artifact ID to associate the tags to. Example: "a872564-1111-176g-d422-e878ghhdfd" | Text | Required | |
Tags List | Enter the tags to add to the artifact. Example: ["malicious", "suspicious"] | List | Required |
Example Request
[
{
"tags": ["malicious", "suspicious"],
"artifact_id": "646fb067-d2c6-4a3f-8686-cb7e72822bc0"
}
] |
Action: Get Tags for an Artifact
This action retrieves all the associated tags for an artifact.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact ID | Enter the artifact ID to retrieve all the associated tags. Example: "a872564-1111-176g-d422-e878ghhdfd" | Text | Required |
Example Request
[
{
"artifact_id": "646fb067-d2c6-4a3f-8686-cb7e72822bc0"
}
] |
Action: Get Whois Records
This action retrieves the WHOIS data for the specified domain. WHOIS provides information about who owns a domain and related data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain to be queried. Example: "exampledomain.org" | Any | Required | |
History | Enter True to return historical results. Otherwise, enter False. | Boolean | Required |
Example Request
[
{
"domain": "google.com",
"history": true
}
] |
Action: Get Cookies
This action retrieves the host attribute cookies based on the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP to retrieve the cookies information. Example: "exampledomain.org" | Text | Required | |
Extra Params | Enter any additional parameters as key-value pairs to fetch the cookies. Example: "start": "2020-12-12" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"query": "exampledomain.org",
"start": "2020-12-12"
}
] |
Action: Get Passive DNS Records
This action retrieves the passive DNS records from active account sources.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP being queried. Example: "exampledomain.org" | Text | Required | |
Start Time | Enter the start timestamp. Example: 'yyyy-MM-dd', 'yyyy-MM-dd HH:mm:ss' | Text | Required | |
End Time | Enter the end timestamp. Example: 'yyyy-MM-dd', 'yyyy-MM-dd HH:mm:ss' | Text | Required | |
Timeout | Enter the timeout to use for external resources. Example: "10" | Integer | Optional | Default value: 7 |
Example Request
[
{
"domain": "google.com",
"end_timestamp": "2021-09-01 21:40:49",
"start_timestamp": "2019-09-01 21:40:49",
"timeout": "7"
}
] |
Action: Set Bulk Classification Status
This action sets the classification status for the given domains.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Queries List | Enter the domains to set the classification status. Example: ["exampledomain.com","sampleURL.com"] | List | Required | |
Classification | Enter the classification status to set for the domains. Example: "suspicious" | Text | Required | Allowed values:
|
Example Request
[
{
"queries_list": ["04zyp.trudemocracy.com", "bad.net"],
"classification": "suspicious"
}
] |
Action: Get Bulk Classification Status
This action is used to get the classification status for the given domains.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Queries List | Enter the list of domains to retrieve the classification status. Example: ["exampledomain.com", "sampleURL.com"] | List | Required |
Example Request
[
{
"query_list": ["04zyp.trudemocracy.com", "bad.net"]
}
] |
Action: Set Classification Status
This action sets the classification status for a given domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain for which the classification status is set. Example: "exampledomain.com" | Text | Required | |
Classification | Enter the classification status to set for the specified domain. Example: "suspicious" | Text | Required | Allowed values:
|
Example Request
[
{
"query": "bad.net",
"classification": "suspicious"
}
] |
Action: Set Compromised Status
This action indicates whether or not a given domain has ever been compromised.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain to set the compromised status for. Example: "exampledomain.com" | Text | Required | |
Status | Enter True if the domain has ever been compromised. Otherwise, enter False. | Boolean | Required | Allowed values:
|
Example Request
[
{
"domain": "bad.net",
"status": true
}
] |
Action: Set Dynamic DNS Status
This action sets the domain status to indicate whether or not a domain's DNS records are updated through the dynamic DNS.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain to set the dynamic DNS status. Example: "exampledomain.com" | Text | Required | |
Status | Enter True if the domain's DNS records are updated through dynamic DNS. Otherwise, enter False | Boolean | Required | <span>Allowed values:</span>
|
Example Request
[
{
"query": "bad.net",
"status": true
}
] |
Action: Get Dynamic DNS Status
This action indicates whether or not a domain's DNS records are updated through dynamic DNS.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain for which the dynamic DNS status is retrieved. Example: "exampledomain.com" | Text | Required |
Example Request
[
{
"query": "bad.net"
}
] |
Action: Get Monitor Status
This action indicates whether or not a domain is monitored.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain to check if it is monitored or not. Example: "exampledomain.com" | Text | Required |
Example Request
[
{
"query": "riskiq.net"
}
] |
Action: Get Sinkhole Status
This action indicates whether or not an IP address is a sinkhole.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the IP address to check for sinkhole status. Example: "8.8.8.8" | Text | Required |
Example Request
[
{
"query": "8.8.8.8"
}
] |
Action: Set Sinkhole Status
This action sets the status for an IP address to indicate whether or not it is a sinkhole.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the IP address to set the sinkhole status. Example: "8.8.8.8" | Text | Required | |
Status | Enter True if you want to set an IP address as a sinkhole. Otherwise, enter False. | Boolean | Required | Allowed values:
|
Example Request
[
{
"query": "8.8.8.8",
"status": false
}
] |
Action: Get Artifacts For Tag
This action retrieves artifacts for a given tag.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the input tag to retrieve all the associated artifacts. Example: "suspicious" | Text | Required |
Example Request
[
{
"query": "suspicious"
}
] |
Action: Get OSINT Bulk
This action retrieves the bulk OSINT (open source intel) data for the specified query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query List | Enter the domains and IPs being queried for OSINT data. Example: ["example.com", "sample.com"] | List | Required |
Example Request
[
{
"query_list": "['\"riskiq.net\"']"
}
] |
Action: Get Malware Data Bulk
This action retrieves bulk malware data for the specified query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query List | Enter the domains and IPs being queried for malware data. Example: "exampledomain.net" | List | Required |
Example Request
[
{
"query_list": "['\"riskiq.net\"']"
}
] |
Action: Get Enrichment Data Bulk
This action retrieves bulk enrichment data based on the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query List | Enter the domains and IPs being queried for enriched data. Example: "exampledomain.net" | List | Required |
Example Request
[
{
"query_list": "['\"riskiq.net\"']"
}
] |
Action: Get Addresses by Component Name
This action searches the component's address information such as category, last seen, labels and so on by component name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Name | Enter the component name. Example: "apache" | Text | Required | |
Extra Params | Enter the extra parameters as key value pairs to get the address details. Example: "sort": "lastSeen" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"extra_params": {
"sort": "lastSeen",
"version": "null",
"page": "1",
"category": "server",
"sort": "lastSeen"
},
"component_name": "apache"
}
] |
Action: Get Hosts by Component Name
This action retrieves the host information using the component name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Name | Enter the component name. Example: "apache" | Text | Required | |
Extra Params | Enter the additional parameters as key-value pairs to retrieve the host information. | Key Value | Optional | Allowed values: Allowed values:
|
Example Request
[
{
"extra_params": {
"sort": "lastSeen",
"version": "null",
"page": "1",
"category": "server",
"sort": "lastSeen"
},
"component_name": "apache"
}
] |
Action: Get Addresses by Cookie Domain
This action searches the cookies addresses information by cookie domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain name. Example: "exampledomain.com" | Text | Required | |
Extra Params | Enter the extra parameters as key-value pairs to get the address information. Example: "order": "desc" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"domain": "riskiq.net",
"extra_params": {
"sort": "firstSeen",
"page": "2",
"order": "desc"
}
}
] |
Action: Get Addresses by Cookie Name
This action is used to search the addresses information by cookie name.
Action Input Parameters
Parameter | Description | Field Values | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the cookie name. Example: "email" | Text | Required | |
Extra Params | Enter the extra parameters as key-value pairs to get the address information. Example: "sort": "firstSeen" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"name": "handl_ref",
"extra_params": {
"page": "2",
"sort": "firstSeen",
"order": "desc"
}
}
] |
Action: Get Hosts by Cookie Domain
This action searches the cookies hosts information by cookie domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the cookie domain name. Example: "exampledomain.org" | Text | Required | |
Extra Params | Enter the extra parameters as key-value pairs to get the address information. Example: "sort": "firstSeen" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"domain": "pacific.com",
"extra_params": {
"page": "2",
"sort": "firstSeen",
"order": "desc"
}
}
] |
Action: Get Hosts by Cookie Name
This action searches the hosts information by cookie name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the cookie name. Example: "email" | Text | Required | |
Extra Params | Enter the extra parameters as key-value pairs to get the hosts information. Example: "sort": "firstSeen" | Key Value | Option | Allowed values:
|
Example Request
[
{
"name": "handl_ref",
"extra_params": {
"page": "2",
"sort": "firstSeen",
"order": "desc"
}
}
] |
Action: Get Trackers
This action retrieves the host attribute trackers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP being queried to get trackers. Example: "exampledomain.com" | Text | Required | |
Extra Params | Enter the extra parameters as key-value pairs to get the trackers information. Example: "lastseen" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"query": "riskiq.net",
"extra_params": {
"lastSeen": "2017-01-19 18:40:12",
"page": "2"
}
}
] |
Action: Get Artifact Tags
This action retrieves the tags of an artifact or artifacts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact ID | Enter the artifact to be queried to retrieve the associated tags. Example: "646fb067-d2c6-4a3f-8686-cb7e72822bc0" | Text | Required |
Example Request
[
{
"artifact": "646fb067-d2c6-4a3f-8686-cb7e72822bc0"
}
] |
Action: Update Artifact Tags
This action updates tags of an artifact.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact | Enter the artifact ID. | Text | Required | |
Tags List | Enter the list of tags to be updated. | List | Required |
Example Request
[
{
"artifact": "646fb067-d2c6-4a3f-8686-cb7e72822bc0",
"tags_list": ["\"a\""]
}
] |
Action: Delete Artifact Tags
This action deletes a set of tags from an artifact.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact | Enter the artifact ID. | Text | Required | |
Tags List | Enter the list of tags to be deleted. | List | Required |
Example Request
[
{
"artifact": "646fb067-d2c6-4a3f-8686-cb7e72822bc0",
"tags_list": ["'maliciousIPs'"]
}
] |
Action: Get SSL History
This action retrieves the SSL certificate history for a given certificate SHA-1 hash or IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash or IP Address | Enter the SHA-1 hash or associated IP address to retrieve the certificate history. | Text | Required |
Example Request
[
{
"hash_or_ip_address": "google.com"
}
] |
Action: Search SSL Certificates
This action searches the SSL certificates for a given query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the SHA-1 hash of the certificate to retrieve. | Text | Required |
Example Request
[
{
"query": "54861d96e46def086e71d59a422761032e827892"
}
] |
Action: Add Project Tags
This action adds tags to a project.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Project ID | Enter the unique project ID. | Text | Required | |
Tags List | Enter the tags to be associated with the project. | List | Required |
Example Request
[
{
"tags_list": ["\"phishing\""],
"project_id": "55dc15d7-63d2-423e-9a03-e90a57e9834d"
}
] |
Action: Delete Project Tags
This action deletes tags from a project.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Project ID | Enter the unique project ID. | Text | Required | |
Tags List | Enter the tags to be deleted from the project. | Any | Required |
Example Request
[
{
"tags_list": ["phishing"],
"project_id": "55dc15d7-63d2-423e-9a03-e90a57e9834d"
}
] |
Action: Find Project
This action finds a project or projects using the search filter.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Project ID | Enter the unique project ID. | Text | Optional | |
Visibility | Enter the visibility of the project. | Text | Optional | Allowed values:
|
Extra Params | Enter the extra parameters as key value pairs to find a project. Example:
| Key Value | Optional |
Example Request
[
{
"project_id": "55dc15d7-63d2-423e-9a03-e90a57e9834d",
"visibility": "public",
"extra_params": {
"owner": "riskiq",
"creator": sampleuser@testdomain.com,
"organization": "testdomain"
}
}
] |
Action: Get Services
This action retrieves the exposed services on recently open ports for an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP to get the list of services. | Text | Required |
Example Request
[
{
"query": "8.8.8.8"
}
] |
Action: Get Reputation
This action retrieves the reputation for a given domain, host or an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain, host or IP to retrieve the reputation details. | Text | Required |
Example Request
[
{
"query": "2020-windows.com"
}
] |
Action: Get Details for Intel Profile
This action retrieves the details for a given intel profile.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Intel Profile ID | Enter the intel profile ID. | Text | Optional |
Example Request
[
{
"intel_profile_id": "5642-6756-87998"
}
] |
Action: Get Article Indicators
This action retrieves the indicators for the specified article.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Article GUID | Enter the article GUID. | Text | Optional | |
Start Date | Enter the start date or publish date of articles where you want to start looking at indicators. Format: YYYY-MM-DD HH:mm:ss | Text | Optional |
Example Request
[
{
"start_date": "2022-06-15 00:00:00",
"guid": "ff9861p9"
}
] |
Action: Get Article Details by Indicator
This action retrieves the details of the article based on the indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query or IOCs to retrieve the article details. | Text | Optional | |
Extra Params | Enter the extra parameters as key value pairs to retrieve the article details. Example:
| Key Value | Optional |
Example Request
[
{
"query": "sampledomain.site",
"extra_params": {
"type": "url",
"count": 8,
"source": "public"
}
}
] |
Action: Get Article Details
This action retrieves the details of the article specified. It returns the title, summary, tag and other details about the article.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Article GUID | Enter the GUID of the article to retrieve the article details. | Text | Required |
Example Request
[
{
"guid": "7b83636f"
}
] |
Action: Get All Articles
This action retrieves all the articles.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sort Type | Enter the order in which the articles are sorted. Example: "publishedDate" | Text | Optional | Default value: Created date |
Page | Enter the page number for paging through results. Example: "0" | Integer | Optional | Default value: 0 |
Order | Enter the field name to sort by. Example: "asc" | Text | Optional | Default value: desc |
Example Request
[
{
"order": "asc",
"page": 0,
"sort_type": "created"
}
] |
Action: Get Summary Data Card
This action retrieves a summary data card associated with the given query. The summary card provides details about the hashes, cookies, articles, projects, trackers, and so on.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain, host or IP to be queried to get the summary card. | Text | Required |
Example Request
[
{
"query": "riskiq.org"
}
] |
Action: Find Artifacts
This action finds existing artifacts based on the artifact ID. If no filters are passed, this returns all your personal artifacts created by you or your organization.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact ID | Enter the unique artifact ID to list the artifact dtails. | Text | Required |
Example Request
[
{
"artifact_id": "646fb067-d2c6-4a3f-8686-cb7e72822bc0"
}
] |
Action: Get Compromised Status
This action indicates whether or not a given domain has ever been compromised.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain to check for compromised status. Example: "google.com" | Text | Required |
Example Request
[
{
"domain": "google.com"
}
] |
Action: Get Classification Status
This action retrieves the classification status of a domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain for which the classification status is retrieved. Example: "google.com" | Text | Required |
Example Request
[
{
"domain": "google.com"
}
] |
Action: Get OSINT
This action retrieves the OSINT (open source intelligence) data such as the source, indicators, and so on for a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP to retrieve the OSINT data. Example: "google.com" | Text | Required |
Example Request
[
{
"query": "google.com"
}
] |
Action: Get Malware
This action retrieves the malware data for a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP to retrieve the malware data. Example: "google.com" | Text | Required |
Example Request
[
{
"query": "google.com"
}
] |
Action: Get Enrichment Data
This action retrieves the enrichment data for a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | <span>Enter the domain or IP to retrieve the enrichment data.</span><span>Example:</span> "8.8.8.8" | Text | Required |
Example Request
[
{
"query": "8.8.8.8"
}
] |
Action: Get Alerts
This action retrieves all the alerts associated with an artifact or a project.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Project | Enter the project to retrieve all the alerts. | Text | Required | |
Artifact | Enter the artifact ID to retrieve all the alerts. | Text | Optional | |
Start Time | Enter the start time to filter results to after this datetime. Format: yyyy-MM-dd HH:mm:ss | Text | Optional | |
End Time | Enter the end time to filter results to before this datetime. Format: yyyy-MM-dd HH:mm:ss | Text | Optional | |
Max Results | Enter the max number of results to display. | Integer | Optional | Default value: 25 |
Extra Params | Enter the extra params as key-value pairs to get alerts. | Key Value | Optional |
Example Request
[
{
"project": "15ddbca7-5f9a-49da-b217-57dadcd3d479",
"artifact": "sample1223",
"stat_time": "2017-04-15T00:34:44.260000",
"end_time": "2021-04-15T00:34:44.260000",
"size": "25",
"extra_params":
{
"page": 0
}
}
] |
Action: Get Sub-Domains
This action retrieves all the sub domains for the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the domain or IP to retrieve the list of all sub domains. Example: "google.com" | Text | Required |
Example Request
[
{
"query": "google.com"
}
] |