1. Home
  2. Knowledge Base
  3. Cyber Threat Intelligence
  4. Edgewatch Cyber Threat Intelligence (CTI) API

Edgewatch Cyber Threat Intelligence (CTI) API

Edgewatch Cyber Threat Intelligence (CTI) delivers real-time, first-hand indicators and context from a global honeypot network, exposed via a REST API and STIX/TAXII 2.1 feeds. Use it to enrich SIEM/SOAR workflows, blocklists, and investigations with high-fidelity IOCs (IPs, hostnames, URLs, file hashes).

Base URL & Auth

  • REST base URL: https://cti.edgewatch.net

  • Auth: Bearer token in the Authorization header. Example: Authorization: Bearer <YOUR_TOKEN> If the token is missing/invalid you’ll receive {“detail”:”Not authenticated”}. Obtain API keys in the Edgewatch portal or via support.

    • Quickstart (cURL & Python)

    curl -H "Authorization: Bearer YOUR_TOKEN" \
  https://cti.edgewatch.net/ip/203.0.113.45
    import requests
h = {"Authorization": "Bearer YOUR_TOKEN"}
r = requests.get("https://cti.edgewatch.net/ip/203.0.113.45", headers=h, timeout=30)
print(r.status_code, r.json())

    Endpoints

    EndpointMethodPurposeNotes
    /ip/{ip}GETIntelligence for an IP: classification, tags, honeypot sightings, geo, first/last seen.Returns blacklist entries with source and counts.
    /hostname/{hostname}GETIntelligence for a hostname/subdomain: resolved IPs, domain metadata.Use exact hostname.
    /url/{percent-encoded-url}GETContext for a specific URL: sightings, classification, tags.URL must be percent-encoded.
    /sample/{hash}GETFile intelligence (SHA256/MD5): type, size, tags, detection/blacklist info.Accepts sha256/md5/sha1.

    Sample IP response

    {
  "ip_addr": "203.0.113.45",
  "classification": "malicious",
  "tag": ["ssh","malware"],
  "blacklist": [
    {"source":"Cowrie","description":"SSH brute-force","first_seen":"2025-05-12 00:30:45","last_seen":"2025-05-12 01:15:00","count":15}
  ],
  "location":{"lat":35.0,"lon":103.0},
  "creation_time":"2025-05-12 00:30:45",
  "modification_time":"2025-05-12 01:15:00",
  "type":"ip"
}

    STIX/TAXII 2.1 Feeds

    TAXII server: https://cti.edgewatch.net:9000/ (TAXII 2.1) Point your TAXII client (e.g., Cabby, OpenCTI, MISP TAXII) to the endpoint above and authenticate per your token configuration to pull STIX bundles and collections.

    Ready-to-Use Feeds

    A catalog of downloadable, ready-to-use threat feeds is available at /feeds (e.g., for direct consumption by firewalls/SIEMs) at cti.edgewatch.net

    HTTP Status Codes

    • 200 success
    • 401 unauthorized (invalid/missing token)
    • 404 IOC not found
    • 429 rate limit exceeded
    • 500 internal server error

    Integration Tips

    • Percent-encode URLs for the /url/{…} endpoint.
    • Time fields (e.g., first_seen, last_seen) are returned in UTC—use your SIEM’s time-zone normalization.
    • Field mapping (SIEM): map classification to threat.severity/category, tag to labels, blacklist[].source to enrichment.source, and first_seen/last_seen to event start/end. (Derived from example fields.)

    Examples by Use Case

    • Blocklist enrichment: poll /ip/{ip} during ingestion to tag events with classification and tags.
    • IR pivoting: from a phishing URL, query /url/{url} then pivot to related /hostname and /ip artifacts.
    • Malware triage: hash a suspicious file, query /sample/{hash} to enrich case notes with file type/tags/blacklist sources.
    • Threat hunting: subscribe to TAXII collections and continuously ingest STIX objects into your threat-intel store..

    Was this article helpful?
    Yes No

    Related Articles

    Need Support?

    Can't find the answer you're looking for?
    Contact Support