Connectors Reference

RiskIQ

RiskIQ Security Intelligence Services provides direct, high volume access to RiskIQ data, allowing mature customers the ability to use this data to defend against threats to their environment.

 

Status: Preview

Tier: Premium

Version: 1.0

 

Actions:

Name

Summary

PDNS_IP (string ip, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore)

Passive DNS results by IP address

PDNS_RESOURCE_DATA (string name, [Optional]string type, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore)

Passive DNS results by resource name

PDNS_RESOURCE_DATA_HEX ([Optional]string type, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore, string hex)

Passive DNS results by hex bytes in data field

PDNS_NAME (string name, [Optional]string type, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore)

Passive DNS results by name

SSL_BY_HOST (string host)

Get SSL certificates by host name

SSL_BY_SERIAL (string serial)

Get SSL certificates by serial number

SSL_BY_SHA1 (string sha1)

Get SSL certificate by SHA1 hash

HOSTS_BY_SSL_SHA1 (string certSha1)

Get hosts by certificate

SSL_BY_NAME (string name)

Get SSL certificates by name

WHOIS_IP (string address, [Optional]string exact, [Optional]string maxResults)

Get WHOIS records associated with an address

WHOIS_DOMAIN (string domain, [Optional]string exact, [Optional]string maxResults)

Get the current WHOIS for a domain

WHOIS_BY_EMAIL (string email, [Optional]string exact, [Optional]string maxResults)

Get WHOIS records associated with an email address

WHOIS_BY_NAME (string name, [Optional]string exact, [Optional]string maxResults)

Get WHOIS records associated with a name

WHOIS_BY_NAMESERVER (string nameserver, [Optional]string exact, [Optional]string maxResults)

Get WHOIS records associated with a name server

WHOIS_BY_ORGANIZATION (string org, [Optional]string exact, [Optional]string maxResults)

Get WHOIS records associated with an organization

WHOIS_BY_PHONE (string phone, [Optional]string exact, [Optional]string maxResults)

Get WHOIS records associated with a phone number

TRACKERS_HOST (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get trackers for a host

TRACKERS_DOMAIN (string domain, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get trackers for a domain

TRACKERS_IP (string address, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get trackers for a IPv4 address

HOST_PAIRS_CHILD (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get children host pairs of host

HOST_PAIRS_PARENT (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get parent host pairs of host

WEB_COMPONENT_HOST (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get the web components for a host

WEB_COMPONENTS_DOMAIN (string domain, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get the web components for a domain

WEB_COMPONENTS_IP (string address, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get the web components for a IPv4 address

COOKIES_HOST (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get cookies associated with host

COOKIES_IP (string address, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

Get cookies associated with IPv4 address

ENRICHMENT_HOST (string host, [Optional]boolean whois, [Optional]boolean hostDetails, [Optional]boolean ipDetails, [Optional]boolean linkedAssetCounts, [Optional]boolean recentPDNS, [Optional]boolean subDomainPDNS, [Optional]boolean openPorts, [Optional]boolean certificates)

Get enriched information by host

ENRICHMENT_IP (string ip, [Optional]boolean whois, [Optional]boolean hostDetails, [Optional]boolean linkedAssetCounts, [Optional]boolean openPorts, [Optional]boolean certificates)

Get enriched information by IPv4

 

Triggers:

Name

Summary

 

Objects:

Name

Summary

CertTypedName

 

Empty

 

EnrichResponse

 

HostAttributeContentResult

 

HostAttributeFacetQueryResult

 

HostAttributeResult

 

HostCacheContentResult

 

HostComponentContentResult

 

HostComponentsResult

 

HostCookieResult

 

HostPairsContentResult

 

HostPairsResult

 

RRSet

 

RRSets

 

SslCert

 

SslCertHost

 

SslCertHostPage

 

SslCertPage

 

SslCertWithHostPage

 

WhoisContact

 

WhoisDomain

 

WhoisResult

 

 

Actions:

PDNS_IP

Summary: Passive DNS results by IP address

Description: Passive DNS results by IP address

 

Syntax:

RiskIQ.PDNS_IP (string ip, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore)

 

Parameters:

Name

Type

Summary

Required

Related Action

ip

string

(IP address in data fields for which to retrieve results.)

IP address in data fields for which to retrieve results.

True

max

string

(Maximum number of results to retrieve.)

Maximum number of results to retrieve.

False

lastSeenAfter

string

(Filter data based on lastSeen after date (YYYY-MM-DD).)

Filter data based on lastSeen after date (YYYY-MM-DD).

False

firstSeenBefore

string

(Filter data based on firstSeen before date (YYYY-MM-DD).)

Filter data based on firstSeen before date (YYYY-MM-DD).

False

 

Returns:

          Type:RRSets

 

PDNS_RESOURCE_DATA

Summary: Passive DNS results by resource name

Description: Passive DNS results by resource name

 

Syntax:

RiskIQ.PDNS_RESOURCE_DATA (string name, [Optional]string type, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore)

 

Parameters:

Name

Type

Summary

Required

Related Action

name

string

(Domain name to search against.)

DNS name. Colloquially referred to as a domain name or DNS zone. Various types of PDNS records contain DNS names in their data fields. For example, the data fields of a name server (NS) record contain the host names of authoritative name servers.

True

type

string

(Record type.)

DNS resource record type. Indicates the type of a DNS resource record. Different types of records describe different aspects of a resource. For example, a record with a type of A describes an IPv4 address for a given host name (the rrname of the record). There are many different defined types. Some of the more common ones besides A include AAAA for IPv6 records, NS for name server records, MX for mail server records, and TXT for arbitrary data.

False

max

string

(Maximum number of results to retrieve.)

Maximum number of results to retrieve.

False

lastSeenAfter

string

(Filter data based on lastSeen after date (YYYY-MM-DD).)

Filter data based on lastSeen after date (YYYY-MM-DD).

False

firstSeenBefore

string

(Filter data based on firstSeen before date (YYYY-MM-DD).)

Filter data based on firstSeen before date (YYYY-MM-DD).

False

 

Returns:

          Type:RRSets

 

PDNS_RESOURCE_DATA_HEX

Summary: Passive DNS results by hex bytes in data field

Description: Passive DNS results by hex bytes in data field

 

Syntax:

RiskIQ.PDNS_RESOURCE_DATA_HEX ([Optional]string type, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore, string hex)

 

Parameters:

Name

Type

Summary

Required

Related Action

type

string

(DNS resource record type.)

DNS resource record type. Indicates the type of a DNS resource record. Different types of records describe different aspects of a resource. For example, a record with a type of A describes an IPv4 address for a given host name (the rrname of the record). There are many different defined types. Some of the more common ones besides A include AAAA for IPv6 records, NS for name server records, MX for mail server records, and TXT for arbitrary data.

False

max

string

(Maximum number of results to retrieve.)

Maximum number of results to retrieve.

False

lastSeenAfter

string

(Filter data based on lastSeen after date (YYYY-MM-DD).)

Filter data based on lastSeen after date (YYYY-MM-DD).

False

firstSeenBefore

string

(Filter data based on firstSeen before date (YYYY-MM-DD).)

Filter data based on firstSeen before date (YYYY-MM-DD).

False

hex

string

(Hexadecimal encoding of data field bytes.)

Hexadecimal encoding of data field bytes.

True

 

Returns:

          Type:RRSets

 

PDNS_NAME

Summary: Passive DNS results by name

Description: Passive DNS results by name

 

Syntax:

RiskIQ.PDNS_NAME (string name, [Optional]string type, [Optional]string max, [Optional]string lastSeenAfter, [Optional]string firstSeenBefore)

 

Parameters:

Name

Type

Summary

Required

Related Action

name

string

(DNS resource record name.)

DNS resource record name. The name of the DNS zone to which a DNS resource record pertains. Commonly used interchangeably with domain name or host name in many scenarios. Technically, an rrname ends with a terminal dot (e.g. riskiq.net.); but this API automatically assumes an implied terminal dot if one is not supplied.

True

type

string

(DNS resource record type.)

DNS resource record type. Indicates the type of a DNS resource record. Different types of records describe different aspects of a resource. For example, a record with an type of A describes an IPv4 address for a given host name (the rrname of the record). There are many different defined types. Some of the more common ones besides A include AAAA for IPv6 records, NS for name server records, MX for mail server records, and TXT for arbitrary data.

False

max

string

(Maximum number of results to retrieve.)

Maximum number of results to retrieve.

False

lastSeenAfter

string

(Filter data based on lastSeen after date (YYYY-MM-DD).)

Filter data based on lastSeen after date (YYYY-MM-DD).

False

firstSeenBefore

string

(Filter data based on firstSeen before date (YYYY-MM-DD).)

Filter data based on firstSeen before date (YYYY-MM-DD).

False

 

Returns:

          Type:RRSets

 

SSL_BY_HOST

Summary: Get SSL certificates by host name

Description: SSL Certificates by host name

 

Syntax:

RiskIQ.SSL_BY_HOST (string host)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(DNS host name or IP address for which to retrieve certificates.)

DNS host name or IP address for which to retrieve certificates.

True

 

Returns:

          Type:SslCertWithHostPage

 

SSL_BY_SERIAL

Summary: Get SSL certificates by serial number

Description: SSL Certificates by serial number

 

Syntax:

RiskIQ.SSL_BY_SERIAL (string serial)

 

Parameters:

Name

Type

Summary

Required

Related Action

serial

string

(Serial number of certificates to retrieve.)

Serial number of certificates to retrieve.

True

 

Returns:

          Type:SslCertPage

 

SSL_BY_SHA1

Summary: Get SSL certificate by SHA1 hash

Description: SSL Certificate details by SHA-1

 

Syntax:

RiskIQ.SSL_BY_SHA1 (string sha1)

 

Parameters:

Name

Type

Summary

Required

Related Action

sha1

string

(SHA1 hash of certificate to retrieve.)

SHA1 hash of certificate to retrieve.

True

 

Returns:

          Type:SslCert

 

HOSTS_BY_SSL_SHA1

Summary: Get hosts by certificate

Description: Hosts by SSL Certificate SHA-1

 

Syntax:

RiskIQ.HOSTS_BY_SSL_SHA1 (string certSha1)

 

Parameters:

Name

Type

Summary

Required

Related Action

certSha1

string

(SHA1 hash of certificate for which to retrieve associated hosts.)

SHA1 hash of certificate for which to retrieve associated hosts.

True

 

Returns:

          Type:SslCertHostPage

 

SSL_BY_NAME

Summary: Get SSL certificates by name

Description: SSL Certificates by name

 

Syntax:

RiskIQ.SSL_BY_NAME (string name)

 

Parameters:

Name

Type

Summary

Required

Related Action

name

string

(Name of certificates to retrieve..)

Name of certificates to retrieve, including formal subject alternative and common names and other colloquial names.

True

 

Returns:

          Type:SslCertPage

 

WHOIS_IP

Summary: Get WHOIS records associated with an address

Description: WHOIS record by IP address

 

Syntax:

RiskIQ.WHOIS_IP (string address, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

address

string

(The address you wish to search for.)

The address you wish to search for.

True

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

WHOIS_DOMAIN

Summary: Get the current WHOIS for a domain

Description: WHOIS record by domain

 

Syntax:

RiskIQ.WHOIS_DOMAIN (string domain, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

domain

string

(The domain or IP Address you wish to search for.)

The domain or IP Address you wish to search for.

True

exact

string

(Search for an exact match.  Valid values are true and false.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

WHOIS_BY_EMAIL

Summary: Get WHOIS records associated with an email address

Description: WHOIS records by email address

 

Syntax:

RiskIQ.WHOIS_BY_EMAIL (string email, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

email

string

(The email address you wish to search for.)

The email address you wish to search for.

True

exact

string

(Search for an exact match.  Valid values are true and false.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

WHOIS_BY_NAME

Summary: Get WHOIS records associated with a name

Description: WHOIS records by name

 

Syntax:

RiskIQ.WHOIS_BY_NAME (string name, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

name

string

(The name you wish to search for.)

The name you wish to search for.

True

exact

string

(Search for an exact match.  Valid values are true and false.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

WHOIS_BY_NAMESERVER

Summary: Get WHOIS records associated with a name server

Description: WHOIS records by name server

 

Syntax:

RiskIQ.WHOIS_BY_NAMESERVER (string nameserver, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

nameserver

string

(The name server you wish to search for.)

The name server you wish to search for.

True

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

WHOIS_BY_ORGANIZATION

Summary: Get WHOIS records associated with an organization

Description: WHOIS records by organization

 

Syntax:

RiskIQ.WHOIS_BY_ORGANIZATION (string org, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

org

string

(The organization you wish to search for.)

The organization you wish to search for.

True

exact

string

(Search for an exact matrch.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

WHOIS_BY_PHONE

Summary: Get WHOIS records associated with a phone number

Description: WHOIS records by phone number

 

Syntax:

RiskIQ.WHOIS_BY_PHONE (string phone, [Optional]string exact, [Optional]string maxResults)

 

Parameters:

Name

Type

Summary

Required

Related Action

phone

string

(The phone number you wish to search for.)

The phone number you wish to search for.

True

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

maxResults

string

(Maximum number of results to return.)

Maximum number of results to return. Defaults to 1000 and maximum value is 10000.

False

 

Returns:

          Type:WhoisResult

 

TRACKERS_HOST

Summary: Get trackers for a host

Description: Trackers for a host

 

Syntax:

RiskIQ.TRACKERS_HOST (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(Hostname you want to search for.)

Hostname you want to search for

True

size

integer(int32)

(Maximum number of results to return.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostAttributeResult

 

TRACKERS_DOMAIN

Summary: Get trackers for a domain

Description: Trackers for a domain

 

Syntax:

RiskIQ.TRACKERS_DOMAIN (string domain, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

domain

string

(Domain you want to search for.)

Domain you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostAttributeResult

 

TRACKERS_IP

Summary: Get trackers for a IPv4 address

Description: Trackers for an IP address

 

Syntax:

RiskIQ.TRACKERS_IP (string address, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

address

string

(IPv4 address you want to search for.)

IPv4 address you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostAttributeResult

 

HOST_PAIRS_CHILD

Summary: Get children host pairs of host

Description: Children Host Pairs by host

 

Syntax:

RiskIQ.HOST_PAIRS_CHILD (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(Hostname you want to search for.)

Hostname you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostPairsResult

 

HOST_PAIRS_PARENT

Summary: Get parent host pairs of host

Description: Parent Host Pairs by host

 

Syntax:

RiskIQ.HOST_PAIRS_PARENT (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(Hostname you want to search for.)

Hostname you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostPairsResult

 

WEB_COMPONENT_HOST

Summary: Get the web components for a host

Description: Web Components by host

 

Syntax:

RiskIQ.WEB_COMPONENT_HOST (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(Hostname you want to search for.)

Hostname you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostComponentsResult

 

WEB_COMPONENTS_DOMAIN

Summary: Get the web components for a domain

Description: Web Components by domain

 

Syntax:

RiskIQ.WEB_COMPONENTS_DOMAIN (string domain, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

domain

string

(Domain you want to search for.)

Domain you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostComponentsResult

 

WEB_COMPONENTS_IP

Summary: Get the web components for a IPv4 address

Description: Web Components by IP address

 

Syntax:

RiskIQ.WEB_COMPONENTS_IP (string address, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

address

string

(IPv4 address you want to search for.)

IPv4 address you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostComponentsResult

 

COOKIES_HOST

Summary: Get cookies associated with host

Description: Cookies by host

 

Syntax:

RiskIQ.COOKIES_HOST (string host, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(Hostname you want to search for.)

Hostname you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostCookieResult

 

COOKIES_IP

Summary: Get cookies associated with IPv4 address

Description: Cookies by IP address

 

Syntax:

RiskIQ.COOKIES_IP (string address, [Optional]integer size, [Optional]integer page, [Optional]integer before, [Optional]integer after, [Optional]integer beforeDay, [Optional]integer afterDay, [Optional]string exact)

 

Parameters:

Name

Type

Summary

Required

Related Action

address

string

(IPv4 address you want to search for.)

IPv4 you want to search for

True

size

integer(int32)

(Maximum number of results.)

Maximum number of results to return per page.

False

page

integer(int32)

(Page number.)

Page number.

False

before

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS.

False

after

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS.

False

beforeDay

integer(int64)

(Filter for records last seen before date.)

Filter for records last seen before this date in MILLISECONDS. Granularity of this filter is DAYS.

False

afterDay

integer(int64)

(Filter for records last seen after date.)

Filter for records first seen after this date in MILLISECONDS. Granularity of this filter is DAYS.

False

exact

string

(Search for an exact match.)

Search for an exact match.  Valid values are true and false.

False

 

Returns:

          Type:HostCookieResult

 

ENRICHMENT_HOST

Summary: Get enriched information by host

Description: Enrichment by host

 

Syntax:

RiskIQ.ENRICHMENT_HOST (string host, [Optional]boolean whois, [Optional]boolean hostDetails, [Optional]boolean ipDetails, [Optional]boolean linkedAssetCounts, [Optional]boolean recentPDNS, [Optional]boolean subDomainPDNS, [Optional]boolean openPorts, [Optional]boolean certificates)

 

Parameters:

Name

Type

Summary

Required

Related Action

host

string

(Query you want to search for.)

Host domain or URL you want to search for

True

whois

boolean

(Include WHOIS information.)

Include who is information.

False

hostDetails

boolean

(Include host details information.)

Include host details.

False

ipDetails

boolean

(Include IP details information.)

Include IP details.

False

linkedAssetCounts

boolean

(Include linked asset count information.)

Include linked asset counts.

False

recentPDNS

boolean

(Include PDNS lookup information.)

Include recent PDNS lookups.

False

subDomainPDNS

boolean

(Include subdomain information.)

Include subdomain PDNS lookups.

False

openPorts

boolean

(Include open ports information.)

Include Open ports.

False

certificates

boolean

(Include certificates information.)

Include certificates.

False

 

Returns:

          Type:EnrichResponse

 

ENRICHMENT_IP

Summary: Get enriched information by IPv4

Description: Enrichment by IP address

 

Syntax:

RiskIQ.ENRICHMENT_IP (string ip, [Optional]boolean whois, [Optional]boolean hostDetails, [Optional]boolean linkedAssetCounts, [Optional]boolean openPorts, [Optional]boolean certificates)

 

Parameters:

Name

Type

Summary

Required

Related Action

ip

string

(Query you want to search for.)

IPv4 address you want to search for

True

whois

boolean

(Include WHOIS information.)

Include whois information.

False

hostDetails

boolean

(Include host details information.)

Include host details.

False

linkedAssetCounts

boolean

(Include linked asset count information.)

Include linked asset counts.

False

openPorts

boolean

(Include open ports information.)

Include open ports.

False

certificates

boolean

(Include certificates information.)

Include certificates.

False

 

Returns:

          Type:EnrichResponse

 


 

CertTypedName

Summary:

Description:

 

          Properties:

Name

Type

Summary

type

string

 

 

name

string

 

 


 

Empty

Summary:

Description:

 

          Properties:

Name

Type

Summary


 

EnrichResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary


 

HostAttributeContentResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

firstSeen

integer(int64)

 

 

lastSeen

integer(int64)

 

 

count

integer(int32)

 

 

id

string

 

 

hostname

string

 

 

domain

string

 

 

attributeValue

string

 

 

attributeType

string

 

 


 

HostAttributeFacetQueryResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (string)

 

 

last

boolean

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

size

integer(int32)

 

 

sort

Sort

 

 

numberOfElements

integer(int32)

 

 

first

boolean

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

HostAttributeResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (HostAttributeContentResult)

 

 

facetResultPages

array of (string)

 

 

facetQueryResult

HostAttributeFacetQueryResult

 

 

highlighted

array of (string)

 

 

maxScore

number(float)

 

 

facetFields

array of (string)

 

 

facetPivotFields

array of (string)

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

last

boolean

 

 

size

integer(int32)

 

 

number

integer(int32)

 

 

sort

Sort

 

 

numberOfElements

integer(int32)

 

 

first

boolean

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

HostCacheContentResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

firstSeen

integer(int64)

 

 

lastSeen

integer(int64)

 

 

count

integer(int32)

 

 

id

string

 

 

hostname

string

 

 

domain

string

 

 

cookieDomain

string

 

 

cookieName

string

 

 


 

HostComponentContentResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

firstSeen

integer(int64)

 

 

lastSeen

integer(int64)

 

 

count

integer(int32)

 

 

id

string

 

 

hostname

string

 

 

domain

string

 

 

webComponentVersion

string

 

 

webComponentName

string

 

 

webComponentCategory

string

 

 


 

HostComponentsResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (HostComponentContentResult)

 

 

facetResultPages

array of (string)

 

 

facetQueryResult

HostAttributeFacetQueryResult

 

 

highlighted

array of (string)

 

 

maxScore

number(float)

 

 

facetFields

array of (string)

 

 

facetPivotFields

array of (string)

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

last

boolean

 

 

size

integer(int32)

 

 

number

integer(int32)

 

 

sort

Sort

 

 

numberOfElements

integer(int32)

 

 

first

boolean

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

HostCookieResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (HostCacheContentResult)

 

 

facetResultPages

array of (string)

 

 

facetQueryResult

HostAttributeFacetQueryResult

 

 

highlighted

array of (string)

 

 

maxScore

number(float)

 

 

facetFields

array of (string)

 

 

facetPivotFields

array of (string)

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

last

boolean

 

 

size

integer(int32)

 

 

number

integer(int32)

 

 

sort

Sort

 

 

numberOfElements

integer(int32)

 

 

first

boolean

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

HostPairsContentResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

firstSeen

integer(int64)

 

 

lastSeen

integer(int64)

 

 

count

integer(int32)

 

 

id

string

 

 

cause

string

 

 

childCount

integer(int32)

 

 

childHostname

string

 

 

childScore

number(float)

 

 

pairScore

number(float)

 

 

parentCount

integer(int32)

 

 

parentHostname

string

 

 

parentScore

number(float)

 

 


 

HostPairsResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (HostPairsContentResult)

 

 

facetResultPages

array of (string)

 

 

facetQueryResult

HostAttributeFacetQueryResult

 

 

highlighted

array of (string)

 

 

maxScore

number(float)

 

 

facetFields

array of (string)

 

 

facetPivotFields

array of (string)

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

last

boolean

 

 

size

integer(int32)

 

 

number

integer(int32)

 

 

sort

Sort

 

 

numberOfElements

integer(int32)

 

 

first

boolean

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

RRSet

Summary:

Description:

 

          Properties:

Name

Type

Summary

count

integer(int32)

 

 

firstSeen

string

 

 

lastSeen

string

 

 

name

string

 

 

data

array of (string)

 

 

rrtype

string

 

 


 

RRSets

Summary:

Description:

 

          Properties:

Name

Type

Summary

recordCount

integer(int32)

 

 

records

array of (RRSet)

 

 


 

SslCert

Summary:

Description:

 

          Properties:

Name

Type

Summary

count

integer(int32)

 

 

firstSeen

integer(int32)

 

 

id

string

 

 

issuer

array of (CertTypedName)

 

 

issuerAlternativeNames

array of (CertTypedName)

 

 

issuerID

string

 

 

lastSeen

integer(int32)

 

 

notAfter

integer(int32)

 

 

notBefore

integer(int32)

 

 

publicKeyAlgorithm

string

 

 

serialNumber

string

 

 

sha1

string

 

 

signatureAlgorithm

string

 

 

signatureAlgorithmOid

string

 

 

subject

array of (CertTypedName)

 

 

subjectAlternativeNames

array of (CertTypedName)

 

 

subjectID

string

 

 

version

integer(int32)

 

 


 

SslCertHost

Summary:

Description:

 

          Properties:

Name

Type

Summary

count

integer(int32)

 

 

firstSeen

integer(int32)

 

 

host

string

 

 

lastSeen

integer(int32)

 

 

port

integer(int32)

 

 


 

SslCertHostPage

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (SslCertHost)

 

 

first

boolean

 

 

last

boolean

 

 

number

integer(int32)

 

 

numberOfElements

integer(int32)

 

 

size

integer(int32)

 

 

sort

Sort

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

SslCertPage

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (SslCert)

 

 

first

boolean

 

 

last

boolean

 

 

number

integer(int32)

 

 

numberOfElements

integer(int32)

 

 

size

integer(int32)

 

 

sort

Sort

 

 

totalElements

integer(int32)

 

 

totalPages

integer(int32)

 

 

 

Sort

Summary:

Description:

 

          Properties:

Name

Type

Summary

sorted

boolean

 

 

unsorted

boolean

 

 

empty

boolean

 

 

 


 

SslCertWithHostPage

Summary:

Description:

 

          Properties:

Name

Type

Summary

content

array of (ContentItem)

 

 

 

ContentItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

firstSeen

integer(int32)

 

 

lastSeen

integer(int32)

 

 

count

integer(int32)

 

 

id

string

 

 

address

string

 

 

asn

string

 

 

bgpPrefix

string

 

 

port

integer(int32)

 

 

sha1

string

 

 

cert

SslCert

 

 

 


 

WhoisContact

Summary:

Description:

 

          Properties:

Name

Type

Summary

domain

string

 

 

email

string

 

 

name

string

 

 

organization

string

 

 

street

string

 

 

city

string

 

 

state

string

 

 

postalCode

string

 

 

country

string

 

 

telephone

string

 

 


 

WhoisDomain

Summary:

Description:

 

          Properties:

Name

Type

Summary

domain

string

 

 

registrar

string

 

 

whoisServer

string

 

 

registered

string

 

 

registryUpdatedAt

string

 

 

expiresAt

string

 

 

contactEmail

string

 

 

nameServers

array of (string)

 

 

registrant

WhoisContact

 

 

admin

WhoisContact

 

 

billing

WhoisContact

 

 

tech

WhoisContact

 

 

zone

Empty

 

 

text

string

 

 

lastLoadedAt

string

 

 


 

WhoisResult

Summary:

Description:

 

          Properties:

Name

Type

Summary

results

integer(int32)

 

 

domains

array of (WhoisDomain)