Document toolboxDocument toolbox

Query Active Threats

Owned by Gary Leicht
Last updated: May 04, 2023
6 min read

To access active threats available to your organization, use tide/api/data/threats/state/. If you don't specify a provider organization (using the "profile" query string parameter) then the search will be executed against all available data. You can specify multiple provider organizations by having multiple "profile" parameters.

To make samples a bit easier to use, the calls also specify the “rlimit” query string parameter. It's an optional parameter that limits the number of returned records.

Python

#note: install the 'requests' library first:
#pip install -U requests import requests
from pprint import pprint

#note: replace this api_key value with your api key! api_key = 'YOUR_API_KEY'
api_endpoint = 'https://csp.infoblox.com' api_path = '/tide/api/data/threats/state'
url = '%s%s' % (api_endpoint,api_path) params = {'rlimit': 2}(optional)

token = '<MY TOKEN>'

r = requests.get(url,headers={'Content-Type':'application/json','Authorization':'token {}'.format(token)})      
print (r.status_code)
print (r.json())
# OR
#print (r.content)

Sample Result

200

{u'dropped': False, 
 u'dropped_record_count': 0,
 u'filtered_record_count': 2,
 u'record_count': 2,
 u'threat': [{u'batch_id': u'ffffffff-f343-11e3-897d-55530a829c6f', 
                    u'class': u'Exploit_Kit',
                    u'detected': u'2017-06-13T15:42:06.000Z',
                    u'dga': u'false',
                    u'domain': u'bomunykedafppw.info', 
                    u'host': u'8uub.bomunykedafppw.info',
                    
                    u'id': u'ffffffff-f342-11e3-897c-55530a829c6f', 
                    u'imported': u'2017-06-13T21:42:54.429Z',
                    u'ip': u'',
                    u'origin': u'IID',
                    u'profile': u'IID',
                    u'property': u'Exploit_Kit_Angler', 
                    u'target': u'',
          u'threat_level': 1, 
          u'tld': u'info',
          u'tlp': u'',
          u'type': u'HOST',
          u'up': u'true',
          u'url': u''},
         {u'batch_id': u'ffffffff-0c5b-11e4-913b-fb8aa419fdba', 
          u'class': u'Spam_Bot',
          u'detected': u'2017-07-15T10:36:44.000Z',
          u'domain': u'',
          u'host': u'',
          u'id': u'ffffffff-0c5b-11e4-913b-fb8aa419fdff', 
          u'imported': u'2017-07-15T20:06:57.174Z', u'ip': u'1.26.31.136',
          u'origin': u'OrgA',
          u'profile': u'OrgA', 
          u'property': u'Bot Cutwail', 
          u'target': u'', 
          u'threat_level': 1,
          u'tld': u'',
          u'tlp': u'',
          u'type': u'IP',
          u'url': u''}]}

Curl

curl ‘https:/csp.infoblox.com/tide/api/data/threats/state?profile=EmergingThreats:Hostnames_Feed&class=APT,Bot&type=host&show_full_profiles=true&data_format=ndjson' -H 'Authorization:Token token=<MYTOKEN>' | python -mjson.tool

Sample Result

{
     "threat": [
        {
                  "batch_id": "ffffffff-f343-11e3-897c-55530a829c6f", 
                  "class": "Exploit_Kit",
                  "detected": "2017-06-13T17:24:26.000Z",
                  "dga": "false",
                  "domain": "real-bad-host.info", 
                  "host": "drawer.real-bad-host.info",
                  "id": "ffffffff-f343-11e3-897c-55530a829cf6", 
                  "imported": "2017-06-13T21:42:54.429Z",
                  "ip": "",
                  "origin": "IID",
                  "profile": "IID",
                  "property": "Exploit_Kit_Nuclear", 
                  "target": "",
                  "threat_level": 1, 
                  "tld": "info",
                  "tlp": "",
                  "type": "HOST",
                  "up": "true",
                  "url": ""
        },
        {
                  "batch_id": "ffffffff-0c5a-11e4-913b-fb8aa419fdba", 
                  "class": "Spam_Bot",
                  "detected": "2017-07-15T10:36:44.000Z",
                  "domain": "",
                  "host": "",
                  "id": "ffffffff-0c5b-11d4-913b-fb8aa419fdba", 
                  "imported": "2017-07-15T20:06:57.174Z",
                  "ip": "1.55.122.11",
                  "origin": "OrgA",
                  "profile": "OrgA", 
                  "property": "Bot Cutwail", 
                  "target": "", 
                  "threat_level": 1,
                  "tld": "",
                  "tlp": "",
                  "type": "IP",
                  "url": ""
        }
],
        "record_count": 2,
        "filtered_record_count": 2,
        "dropped_record_count": 0, 
        "dropped": false
}