Query Data for a Specific Threat Indicator
- Gary Leicht
You can query the platform to retrieve all data for a single threat indicator, such as a specific IP address, host name, or URL.
Query for a Specific IP Address
If you wanted to search for all instances of IP address 1.2.3.4 in csv format, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=ip&ip=1.2.3.4&data_format=csv' -H 'Authorization:Token token=<MYTOKEN>' |
If you wanted to search for all instances of IP address 1.2.3.4 detected in the last day in csv format, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=ip&ip=1.2.3.4&period=1d&data_format=csv -H 'Authorization:Token token=<MYTOKEN>' |
If you wanted to search for all instances of IP address 1.2.3.4 which were reported as Zero Access Bots in csv format, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=ip&ip=1.2.3.4&property=bot_zeroaccess&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |
(A list of valid properties can be found at the API /api/data/properties.)
Query for a Specific Host Name
If you wanted to search for all instances of host example.com in csv format, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=host&host=example.com&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |
If you wanted to search for all instances of host example.com imported in the last hour in csv format, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=host&host=example.com&imported_period=1h&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |
If you wanted to search for all instances of host example.com for threat class Malware C2 in csv format, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=host&host=example.com&class=Malware_C2&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |
(A list of valid threat classes can be found at the API /api/data/threat_classes.)
Query for a Specific URL
If you wanted to search for all instances of URL http://www.example.com, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=url&url=http://www.example.com&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |
If you wanted to search for all instances of URL http://www.example.com detected since August 1, 2017 UTC, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=url&url=http://www.example.com&from_date=2017-08-01T00:00:00Z&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |
If you wanted to search for all instances of URL http://www.example.com detected since August 1, 2017 UTC and targeting your company, you could submit the following curl request:
curl ‘https://csp.infoblox.com/tide/api/data/threats/state?type=url&url=http://www.example.com&from_date=2017-08-01T00:00:00Z&target=my%20company&data_format=csv’ -H 'Authorization:Token token=<MYTOKEN>' |