We've made a number of improvements to the depth of data in OTX recently, which are now available via the free API tool.
Some of the API functions now include:
- Malware anti-virus and sandbox reports (example)
- A Whois API, including reverse whois and reverse SSL (example)
- View IP addresses that our telemetry indicates a specific network signature has fired on
- The HTTP contents of a domain or URL (example), as well as finding all pages that link to it (example)
- Passive DNS history (example)
- Find malware samples that talk to a domain or ip (example)
- Retrieve malware samples by anti-virus detection (example)
- Lists of malicious URLs on domains (example)
- Download all indicators from users that you subscribe to (example)
- Find pulses based on the adversary, industry or keywords that interest you (example)
Most of these API requests will work without authentication. However, it's worth using an API key, as it allows 10,000 requests per hour rather than just 1,000 requests per hour. Exceeding 10,000 requests per hour is normally fine so long as you let us know in advance. You can also use the API key to choose to only get data from users you have said you trust.
The SDK deals with authentication for you, or you can simply add it as a parameter in any requests: curl https://otx.alienvault.com:443/otxapi/indicator/nids/2003068/ip_list -H "X-OTX-API-KEY: e989..."
What could you build?
This depth of data could be used for countless things, but here are a couple of examples the API could used for:
Let’s say you want to get daily updates on an attacker that has targeted your sector before.
With the new API, you will get a daily email on name servers they use, domain registration emails they use, and servers that have fired network alerts for their malware.
Malicious File Alerting
Another common task is when you want to know if files that pass your network or mail gateway (either at the MX or Inbox) are malicious. You can easily extract these files, then check them against OTX to see if they are malicious.
Our Python SDK page includes some simple examples of using the API, such as:
- Storing a feed of malicious indicators on OTX
- Telling if a Domain, IP, File hash or URL is malicious
- Get all the data we have for an indicator
Some example uses of the AlienVault API
Use the API, bag some swag
As if all this data available at no-cost wasn't enough, we're also keen to promote anyone who has a project that uses the OTX API on Github or similar.
Send an email to firstname.lastname@example.org with a link to your project that uses the API on Github or similar and we'll add you to the list of API users. Make sure you send us a link to your github page with a script using the API.
And if you're willing to share your postal address we will send you some AlienVault-branded swag like these fine items: