Intel

IntelASN

Get ASN Overview.

GET/accounts/{account_id}/intel/asn/{asn}

IntelASNSubnets

Get ASN Subnets

GET/accounts/{account_id}/intel/asn/{asn}/subnets

ModelsExpand Collapse

SubnetGetResponse object { asn, count, ip_count_total, 3 more }

asn: optional ASN

Total results returned based on your search parameters.

ip_count_total: optional number

page: optional number

Current page within paginated list of results.

per_page: optional number

Number of results per page of results.

subnets: optional array of string

IntelDNS

ModelsExpand Collapse

DNS object { count, page, per_page, reverse_records }

Total results returned based on your search parameters.

page: optional number

Current page within paginated list of results.

per_page: optional number

Number of results per page of results.

reverse_records: optional array of object { first_seen, hostname, last_seen }

Reverse DNS look-ups observed during the time period.

first_seen: optional string

First seen date of the DNS record during the time period.

formatdate

hostname: optional string

Hostname that the IP was observed resolving to.

last_seen: optional string

Last seen date of the DNS record during the time period.

formatdate

IntelDomains

ModelsExpand Collapse

Domain object { additional_information, application, content_categories, 8 more }

additional_information: optional object { suspected_malware_family }

Additional information related to the host name.

suspected_malware_family: optional string

Suspected DGA malware family.

application: optional object { id, name }

Application that the hostname belongs to.

id: optional number

content_categories: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

domain: optional string

inherited_content_categories: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

inherited_from: optional string

Domain from which inherited_content_categories and inherited_risk_types are inherited, if applicable.

inherited_risk_types: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

popularity_rank: optional number

Global Cloudflare 100k ranking for the last 30 days, if available for the hostname. The top ranked domain is 1, the lowest ranked domain is 100,000.

resolves_to_refs: optional array of object { id, value }

Specifies a list of references to one or more IP addresses or domain names that the domain name currently resolves to.

id: optional string

STIX 2.1 identifier: https://docs.oasis-open.org/cti/stix/v2.1/cs02/stix-v2.1-cs02.html#_64yvzeku5a5c.

value: optional string

IP address or domain name.

risk_score: optional number

Hostname risk score, which is a value between 0 (lowest risk) to 1 (highest risk).

risk_types: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

IntelDomainsBulks

Get Multiple Domain Details

GET/accounts/{account_id}/intel/domain/bulk

ModelsExpand Collapse

BulkGetResponse = array of object { additional_information, application, content_categories, 7 more }

additional_information: optional object { suspected_malware_family }

Additional information related to the host name.

suspected_malware_family: optional string

Suspected DGA malware family.

application: optional object { id, name }

Application that the hostname belongs to.

id: optional number

content_categories: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

domain: optional string

inherited_content_categories: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

inherited_from: optional string

Domain from which inherited_content_categories and inherited_risk_types are inherited, if applicable.

inherited_risk_types: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

popularity_rank: optional number

Global Cloudflare 100k ranking for the last 30 days, if available for the hostname. The top ranked domain is 1, the lowest ranked domain is 100,000.

risk_score: optional number

Hostname risk score, which is a value between 0 (lowest risk) to 1 (highest risk).

risk_types: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

IntelDomain History

Get Domain History

GET/accounts/{account_id}/intel/domain-history

ModelsExpand Collapse

DomainHistory object { categorizations, domain }

categorizations: optional array of object { categories, end, start }

categories: optional array of object { id, name }

id: optional number

end: optional string

formatdate

start: optional string

formatdate

domain: optional string

DomainHistoryGetResponse = array of DomainHistory { categorizations, domain }

categorizations: optional array of object { categories, end, start }

categories: optional array of object { id, name }

id: optional number

end: optional string

formatdate

start: optional string

formatdate

domain: optional string

IntelIPs

ModelsExpand Collapse

IP object { belongs_to_ref, ip, risk_types }

belongs_to_ref: optional object { id, country, description, 2 more }

Specifies a reference to the autonomous systems (AS) that the IP address belongs to.

id: optional string

country: optional string

description: optional string

type: optional "hosting_provider" or "isp" or "organization"

Infrastructure type of this ASN.

One of the following:

"hosting_provider"

"isp"

"organization"

value: optional string

ip: optional string

formatipv4

risk_types: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

IPGetResponse = array of IP { belongs_to_ref, ip, risk_types }

belongs_to_ref: optional object { id, country, description, 2 more }

Specifies a reference to the autonomous systems (AS) that the IP address belongs to.

id: optional string

country: optional string

description: optional string

type: optional "hosting_provider" or "isp" or "organization"

Infrastructure type of this ASN.

One of the following:

"hosting_provider"

"isp"

"organization"

value: optional string

ip: optional string

formatipv4

risk_types: optional array of object { id, name, super_category_id }

id: optional number

super_category_id: optional number

IntelIP Lists

ModelsExpand Collapse

IPList object { id, description, name }

id: optional number

description: optional string

IntelMiscategorizations

Create Miscategorization

POST/accounts/{account_id}/intel/miscategorization

ModelsExpand Collapse

MiscategorizationCreateResponse object { errors, messages, success }

errors: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

messages: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

success: true

Whether the API call was successful.

IntelWhois

ModelsExpand Collapse

Whois object { created_date, domain, nameservers, 6 more }

created_date: optional string

formatdate

domain: optional string

nameservers: optional array of string

registrant: optional string

registrant_country: optional string

registrant_email: optional string

registrant_org: optional string

registrar: optional string

updated_date: optional string

formatdate

WhoisGetResponse object { dnssec, domain, extension, 84 more }

dnssec: boolean

domain: string

extension: string

found: boolean

nameservers: array of string

punycode: string

registrant: string

registrar: string

id: optional string

administrative_city: optional string

administrative_country: optional string

administrative_email: optional string

administrative_fax: optional string

administrative_fax_ext: optional string

administrative_id: optional string

administrative_name: optional string

administrative_org: optional string

administrative_phone: optional string

administrative_phone_ext: optional string

administrative_postal_code: optional string

administrative_province: optional string

administrative_referral_url: optional string

administrative_street: optional string

billing_city: optional string

billing_country: optional string

billing_email: optional string

billing_fax: optional string

billing_fax_ext: optional string

billing_id: optional string

billing_name: optional string

billing_org: optional string

billing_phone: optional string

billing_phone_ext: optional string

billing_postal_code: optional string

billing_province: optional string

billing_referral_url: optional string

billing_street: optional string

created_date: optional string

formatdate-time

created_date_raw: optional string

expiration_date: optional string

formatdate-time

expiration_date_raw: optional string

registrant_city: optional string

registrant_country: optional string

registrant_email: optional string

registrant_fax: optional string

registrant_fax_ext: optional string

registrant_id: optional string

registrant_name: optional string

registrant_org: optional string

registrant_phone: optional string

registrant_phone_ext: optional string

registrant_postal_code: optional string

registrant_province: optional string

registrant_referral_url: optional string

registrant_street: optional string

registrar_city: optional string

registrar_country: optional string

registrar_email: optional string

registrar_fax: optional string

registrar_fax_ext: optional string

registrar_id: optional string

registrar_name: optional string

registrar_org: optional string

registrar_phone: optional string

registrar_phone_ext: optional string

registrar_postal_code: optional string

registrar_province: optional string

registrar_referral_url: optional string

registrar_street: optional string

status: optional array of string

technical_city: optional string

technical_country: optional string

technical_email: optional string

technical_fax: optional string

technical_fax_ext: optional string

technical_id: optional string

technical_name: optional string

technical_org: optional string

technical_phone: optional string

technical_phone_ext: optional string

technical_postal_code: optional string

technical_province: optional string

technical_referral_url: optional string

technical_street: optional string

updated_date: optional string

formatdate-time

updated_date_raw: optional string

whois_server: optional string

IntelIndicator Feeds

Get indicator feeds owned by this account

GET/accounts/{account_id}/intel/indicator-feeds

Get indicator feed metadata

GET/accounts/{account_id}/intel/indicator-feeds/{feed_id}

Create new indicator feed

POST/accounts/{account_id}/intel/indicator-feeds

Update indicator feed metadata

PUT/accounts/{account_id}/intel/indicator-feeds/{feed_id}

Get indicator feed data

GET/accounts/{account_id}/intel/indicator-feeds/{feed_id}/data

ModelsExpand Collapse

IndicatorFeedListResponse object { id, created_on, description, 5 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

The name of the indicator feed

IndicatorFeedGetResponse object { id, created_on, description, 9 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

last_upload_summary: optional object { persisted, skipped, uploaded }

Summary of indicator counts from the last successful upload to this feed. Populated by the custom-threat-feeds loader at the end of each successful load. Absent (omitted) when no upload has completed successfully or the upload errored before the summary write. Surfaces silent-failure paths so operators can see when their indicators were dropped (popularity allowlist, expired valid_until, etc.) without reading loader logs.

persisted: optional object { domains_added, domains_removed, ips_added, 3 more }

Net delta applied to feed indicators by this upload. Snapshot uploads emit both *_added and *_removed; delta-add emits only *_added; delta-remove emits only *_removed.

domains_added: optional number

domains_removed: optional number

ips_added: optional number

ips_removed: optional number

urls_added: optional number

urls_removed: optional number

skipped: optional object { allowlisted_domains, expired_indicators, invalid_indicators }

Counts of indicators that were uploaded but did not reach QuickSilver, broken down by reason.

allowlisted_domains: optional number

Domains filtered by the global popularity allowlist at QS provisioning time. Popular domains (bing.com, naver.com, etc.) are protected from custom-threat-feed enforcement.

expired_indicators: optional number

Indicators in the upload whose valid_until is already in the past. These are not added to QS; the expiration cron handles cleanup.

invalid_indicators: optional number

Reserved for future use. Currently always 0 — the unifier aborts the entire upload on a single bad indicator.

uploaded: optional object { domains, ips, urls }

Indicator counts from the unified file the loader received

domains: optional number

Number of domain indicators in the upload

ips: optional number

Number of IP indicators in the upload

urls: optional number

Number of URL indicators in the upload

latest_upload_status: optional "Mirroring" or "Unifying" or "Loading" or 3 more

Status of the latest snapshot uploaded

One of the following:

"Mirroring"

"Unifying"

"Loading"

"Provisioning"

"Complete"

"Error"

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

The name of the indicator feed

provider_id: optional number

The unique identifier for the provider

provider_name: optional string

The provider of the indicator feed

IndicatorFeedCreateResponse object { id, created_on, description, 5 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

The name of the indicator feed

IndicatorFeedUpdateResponse object { id, created_on, description, 5 more }

id: optional number

The unique identifier for the indicator feed

created_on: optional string

The date and time when the data entry was created

formatdate-time

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

modified_on: optional string

The date and time when the data entry was last modified

formatdate-time

The name of the indicator feed

IndicatorFeedDataResponse = string

IntelIndicator FeedsSnapshots

Update indicator feed data

PUT/accounts/{account_id}/intel/indicator-feeds/{feed_id}/snapshot

ModelsExpand Collapse

SnapshotUpdateResponse object { file_id, filename, status }

file_id: optional number

Feed id

filename: optional string

Name of the file unified in our system

status: optional string

Current status of upload, should be unified

ModelsExpand Collapse

PermissionListResponse = array of object { id, description, is_attributable, 3 more }

id: optional number

The unique identifier for the indicator feed

description: optional string

The description of the example test

is_attributable: optional boolean

Whether the indicator feed can be attributed to a provider

is_downloadable: optional boolean

Whether the indicator feed can be downloaded

is_public: optional boolean

Whether the indicator feed is exposed to customers

The name of the indicator feed

PermissionCreateResponse object { success }

success: optional boolean

Whether the update succeeded or not

PermissionDeleteResponse object { success }

success: optional boolean

Whether the update succeeded or not

IntelIndicator FeedsDownloads

IntelSinkholes

List sinkholes owned by this account

GET/accounts/{account_id}/intel/sinkholes

ModelsExpand Collapse

Sinkhole object { id, account_tag, created_on, 4 more }

id: optional number

The unique identifier for the sinkhole

account_tag: optional string

The account tag that owns this sinkhole

created_on: optional string

The date and time when the sinkhole was created

formatdate-time

modified_on: optional string

The date and time when the sinkhole was last modified

formatdate-time

The name of the sinkhole

r2_bucket: optional string

The name of the R2 bucket to store results

r2_id: optional string

The id of the R2 instance

IntelAttack Surface Report

IntelAttack Surface ReportIssue Types

Retrieves Security Center Issues Types

GET/accounts/{account_id}/intel/attack-surface-report/issue-types

ModelsExpand Collapse

IssueTypeGetResponse = string

ModelsExpand Collapse

IssueType = "compliance_violation" or "email_security" or "exposed_infrastructure" or 3 more

One of the following:

"compliance_violation"

"email_security"

"exposed_infrastructure"

"insecure_configuration"

"weak_authentication"

"configuration_suggestion"

SeverityQueryParam = "low" or "moderate" or "critical"

One of the following:

"low"

"moderate"

"critical"

IssueListResponse object { count, issues, page, per_page }

Indicates the total number of results.

issues: optional array of object { id, dismissed, has_extended_context, 11 more }

id: optional string

dismissed: optional boolean

has_extended_context: optional boolean

Indicates whether the insight has a large payload that requires fetching via the context endpoint.

issue_class: optional string

issue_type: optional IssueType

payload: optional object { detection_method, zone_tag }

detection_method: optional string

Describes the method used to detect insight.

zone_tag: optional string

resolve_link: optional string

resolve_text: optional string

severity: optional "Low" or "Moderate" or "Critical"

One of the following:

"Low"

"Moderate"

"Critical"

since: optional string

formatdate-time

status: optional "active" or "resolved"

The current status of the insight.

One of the following:

"active"

"resolved"

subject: optional string

timestamp: optional string

formatdate-time

user_classification: optional "false_positive" or "accept_risk" or "other"

User-defined classification for the insight. Can be ‘false_positive’, ‘accept_risk’, ‘other’, or null.

One of the following:

"false_positive"

"accept_risk"

"other"

page: optional number

Specifies the current page within paginated list of results.

per_page: optional number

Sets the number of results per page of results.

maximum1000

minimum1

IssueClassResponse = array of object { count, value }

value: optional string

IssueSeverityResponse = array of object { count, value }

value: optional string

IssueTypeResponse = array of object { count, value }

value: optional string

IssueDismissResponse object { errors, messages, success }

errors: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

messages: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

success: true

Whether the API call was successful.

Intel

IntelASN

IntelASNSubnets

ModelsExpand Collapse

IntelDNS

ModelsExpand Collapse

IntelDomains

ModelsExpand Collapse

IntelDomainsBulks

ModelsExpand Collapse

IntelDomain History

ModelsExpand Collapse

IntelIPs

ModelsExpand Collapse

IntelIP Lists

ModelsExpand Collapse

IntelMiscategorizations

ModelsExpand Collapse

IntelWhois

ModelsExpand Collapse

IntelIndicator Feeds

ModelsExpand Collapse

IntelIndicator FeedsSnapshots

ModelsExpand Collapse

IntelIndicator FeedsPermissions

ModelsExpand Collapse

IntelIndicator FeedsDownloads

IntelSinkholes

ModelsExpand Collapse

IntelAttack Surface Report

IntelAttack Surface ReportIssue Types

ModelsExpand Collapse

IntelAttack Surface ReportIssues

ModelsExpand Collapse