Request IP Feed Information
The API Reference information for retrieving IP feed information can be found here.
Overview
The Threat Vault API can be used to request IP feed information. Consider the following examples:
Keep a few things in mind when formatting your API query:
- All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
- You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
- Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
Example 1: Request information about the specific IP feed name that is present in the Threat Intelligence database while limiting the maximum number of results to three:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?name=malicious&limit=3'
A successful API call returns, within the contents section, status="success" along with the IP feed results.
{
"success": true,
"link": {
"next": "https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?name=malicious&limit=3&offset=3",
"previous": null
},
"count": 4508,
"data": [
{
"ipaddr": "1.33.230.137",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "3327",
"first_release_time": "2020-04-22T20:38:31Z"
},
"geo": "JP (Japan)",
"asn": "2514 (INFOSPHERE NTT PC Communications, Inc., JP)"
},
{
"ipaddr": "1.117.154.185",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "4090",
"first_release_time": "2022-05-21T21:43:42Z"
},
"geo": "CN (China)",
"asn": "45090 (TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN)"
},
{
"ipaddr": "1.117.180.42",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "3888",
"first_release_time": "2021-11-02T00:53:22Z"
},
"geo": "CN (China)",
"asn": "45090 (TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN)"
}
],
"message": "Successful"
}
Example 2: Request information about the specific matching IP address in the Threat Intelligence database:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?ipaddr=193.189.116.210'
A successful API call returns, within the Contents section, status="success" along with the associated IP feed entry details:
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": [
{
"ipaddr": "193.189.116.210",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T11:06:51Z"
},
"geo": "PL (Poland)",
"asn": "44124 (RYBNET-AS, PL)"
}
],
"message": "Successful"
}
Example 3: Request information about the specific IP address using an IP address that does [not] exist in the Threat Intelligence database. This returns only Geolocation and Autonomous System information:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?ipaddr=193.189.116.215'
A successful API call returns, within the Contents section, status="success" along with the associated IP feed entry details:
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": [
{
"ipaddr": "193.189.116.215",
"name": null,
"status": "N/A",
"release": {},
"geo": "PL (Poland)",
"asn": "44124 (RYBNET-AS, PL)"
}
],
"message": "Successful"
}
Example 4: Request information about matching IP feed entries found in the Threat Intelligence database based on a range of IP addresses. This returns only Geolocation and Autonomous System information:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?fromipaddr=185.130.5.207&toipaddr=185.130.5.236'
A successful API call returns, within the Contents section, status="success" along with the associated IP feed entry details:
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 7,
"data": [
{
"ipaddr": "185.130.5.207",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
},
{
"ipaddr": "185.130.5.208",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
},
{
"ipaddr": "185.130.5.224",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
},
{
"ipaddr": "185.130.5.231",
"name": "Malicious IP Feed",
"status": "released",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
},
{
"ipaddr": "185.130.5.233",
"name": "High Risk IP Feed",
"status": "expired",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
},
{
"ipaddr": "185.130.5.234",
"name": "High Risk IP Feed",
"status": "expired",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
},
{
"ipaddr": "185.130.5.235",
"name": "High Risk IP Feed",
"status": "expired",
"release": {
"first_release_version": "2113",
"first_release_time": "2016-10-18T07:00:00Z"
},
"geo": "DE (Germany)",
"asn": "204527 (BJNIP, DE)"
}
],
"message": "Successful"
}