Request Samples
To get started, register a list of domains with Umbrella Investigate. For more information, see Post Domains and List Category and Status Information.
Get Domain Status and Category
Get the domain status, and security and content category information.
GET /domains/categorization/{domain}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| showLabels | string | false | Show labels for content categories. |
Request
curl -i GET "https://investigate.api.umbrella.com/domains/categorization/example.com?showlabels" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"example.com": {
"status": 1,
"security_categories": [],
"content_categories": ["Ecommerce/Shopping"]
}
}
Post Domains and List Category and Status Information
List security settings, categories, and status information for the list of domains provided in the request body. In a single request, the payload must not exceed 100KB and contain no more than 1000 domains. The status is a numerical value determined by the Cisco Security Labs team. The valid status values are: '-1' (malicious), '1' (safe), or '0' (undetermined status).
POST /domains/categorization
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| showLabels | string | false | Show labels for content categories. |
Request Body Parameters
| Type | Description |
|---|---|
| array | A list of domain name. |
Request
curl -i -X POST "https://investigate.api.umbrella.com/domains/categorization" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
-d '["example.com", "amazon.com"]'
Response
Sample response (200, OK):
[
"example.com": {
"status": 1,
"security_categories": [],
"content_categories": ["23"]
},
"amazon.com": {
"status": 1,
"security_categories": [],
"content_categories": ["8"]
}
]
Get Domain Query Volume
List the number of domain requests (query volume) in the last 30 days.
GET /domains/volume/{domain}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| start | string | false | Point in time in the past, expressed as a timestamp in milliseconds or relative time. Valid formats: start=-2days, start=-2hours start=1509332100000. The maximum time range is 30 days. |
| stop | string | false | Point in time in the past expressed as a timestamp in milliseconds or relative time. Valid formats: stop=-1days, stop=now, stop=1509642000000. The maximum time range is 30 days. |
| match | string | false | Valid values: exact, component, or all. The default value is all. |
Request
curl -i GET "https://investigate.api.umbrella.com/domains/volume/{domain}" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"dates": [
"1510873200000",
"1510959600000"
],
"queries": [
"1238823",
"1245126",
"1215994",
"1256917",
"1200190",
"1245963",
"1355719",
"1332685",
"1319825",
"1362464",
"1457174",
"1695448"
]
}
Get Co-occurring Domains
List the domains accessed at the same time as the requested domain.
GET /recommendations/name/{domain}.json
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
Request
curl -i GET "https://investigate.api.umbrella.com/recommendations/name/{domain}.json" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"pfs2": [
"download.example.com",
"query.example.com"
],
"found": true
}
Get Passive DNS Data
The Umbrella Investigate API includes four Passive DNS endpoints:
GET
/pdns/name/{domain}Get information from the passive DNS endpoint (historical data from our resolvers for domains and IPs), and other resource records.
GET
/pdns/domain/{domain}Get the Resource Record (RR) data for DNS responses and categorization data, where the answer (or rdata) is the domains.
GET
/pdns/ip/{ip}Get the Resource Record (RR) data for DNS responses and categorization data, where the answer (or rdata) is the domains.
GET
/pdns/raw/{anystring}Get the Resource Record (RR) data for DNS responses and categorization data, where the answer (or rdata) could be any type of data.
Request Path Parameters
/pdns/name/{domain}
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
/pdns/domain/{domain}
| Name | Type | Description |
|---|---|---|
| domain | string | A domain name. |
/pdns/ip/{ip}
| Name | Type | Description |
|---|---|---|
| ip | string | An IP address, such as 208.67.222.222 or 2620:119:35::35. |
/pdns/raw/{anystring}
| Name | Type | Description |
|---|---|---|
| anystring | string | Text representation of the data. When querying TXT records, add quotes around the text. For example, to search for abc format your query as: https://investigate.umbrella.com/pdns/raw/%22abc%22. |
Request Query Parameters
For each Passive DNS endpoint, you can set the following request query parameters:
| Name | Type | Required | Description |
|---|---|---|---|
| limit | integer | false | Specifies the number of records to return in the collection. The default limit is 500 records. The maximum number of records returned between all requests to a Passive DNS endpoint is 10,000. |
| offset | integer | false | Specifies the offset into the collection. The default value is 0, the first record in the collection. |
| recordType | string | false | The record types to return. For example: A, CNAME, NS, MX. Use commas to separate multiple record types. |
| includefeatures | boolean | false | If true adds feature sections to the response. It is false by default. |
| minFirstSeen | integer | false | The server only returns records with firstSeen >= minFirstSeen. |
| maxFirstSeen | integer | false | The server only returns records with firstSeen <= maxFirstSeen. |
| minLastSeen | integer | false | The server only returns records with lastSeen >= minLastSeen. |
| maxLastSeen | integer | false | The server only returns records with lastSeen <= maxLastSeen. |
| sortorder | string | false | Sort records by ascending (asc) or descending (desc) order. By default, the records are returned in descending order (desc). |
| sortby | string | false | Sort records by one of the following values: minTtl, maxTtl, firstSeen, or lastSeen. |
| requiredCategories | string | false | Filter records by security categories. For more information, see Security Categories. |
| sortCategories | string | false | Comma-separated list of security categories or 'All'. 'All' stands for all security categories. Records which have at least one of these security categories will be first in the ordering. The rest of the sorting parameters will be applied within the records with and without any of the security categories. |
Security Categories
To filter Passive DNS records, provide a comma-separated list of security category strings. For example:
Dynamic DNS,Malware,Cryptomining
Note: Security category strings are case-sensitive.
Security Categories:
- Drive-by Downloads/Exploits
- Mobile Threats
- Dynamic DNS
- High Risk Sites and Locations
- Command and Control
- Malware
- Phishing
- Newly Seen Domains
- Potentially Harmful
- DNS Tunneling VPN
- Cryptomining
Sample Passive DNS Request
curl -i GET "https://investigate.api.umbrella.com/pdns/raw/{anystring}" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
[
{
"minTtl": 3600,
"maxTtl": 3600,
"firstSeen": 1544386020,
"lastSeen": 1555327199,
"name": "926723159-3188410",
"type": "TXT",
"rr": "cisco.com",
"securityCategories": [],
"contentCategories": [
"Software/Technology",
"Business Services"
],
"firstSeenISO": "2018-12-09T20:07Z",
"lastSeenISO": "2019-04-15T11:19Z"
}
]
Get Tagging Timeline
List the historical tagging timeline for an IP address, a domain, or a URL.
GET /timeline/{name}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| name | string | true | A domain, an IP address, or a URL |
Request
curl -i GET "https://investigate.api.umbrella.com/timeline/{name}" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
[
{
"categories": [
"Malware"
],
"attacks": [],
"threatTypes": [],
"timestamp": 1561574807853
},
{
"categories": [],
"attacks": [
"Trojan"
],
"threatTypes": [],
"timestamp": 1559545774604
}
]
Security Categories
- Drive-by Downloads/Exploits
- Mobile Threats
- Dynamic DNS
- High Risk Sites and Locations
- Command and Control
- Malware
- Phishing
- Newly Seen Domains
- Potentially Harmful
- DNS Tunneling VPN
- Cryptomining
Get Subdomains of Domain
Get the subdomains of the domain, and list the security categories and time when the subdomain was first related to the domain in the resource record.
GET /subdomains/{domain}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name |
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| limit | integer | false | Specifies the number of records to return in the collection. The default limit is 20 records. The maximum number of records is 100. |
| offsetName | string | false | Specify a subdomain to filter the collection. For example: https://investigate.api.umbrella.com/subdomains/cisco.com?offsetName=api.cisco.com. The default value is the target domain. |
Request
curl -i GET "https://investigate.api.umbrella.com/subdomains/{domain}" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
[
{
"securityCategories": [
"Cryptomining"
],
"firstSeen": 1612088333,
"name": "api.c3pool.com"
},
{
"securityCategories": [
"Cryptomining"
],
"firstSeen": 1615427410,
"name": "asia.c3pool.com"
}
]
Security Categories
- Drive-by Downloads/Exploits
- Mobile Threats
- Dynamic DNS
- High Risk Sites and Locations
- Command and Control
- Malware
- Phishing
- Newly Seen Domains
- Potentially Harmful
- DNS Tunneling VPN
- Cryptomining
Get Related Domains
List the domain names frequently requested around the same time (up to 60 seconds before or after) as the given domain name.
GET /links/name/{domain}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
Request
curl -i GET "https://investigate.api.umbrella.com/links/name/example.com" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"tb1": [
{
"www.example1.com",
10
},
{
"info.example2.com.com",
9
},
{
"support.example.com",
3
}
],
"found": true
}
Get Security Domain Information
List multiple scores or security features to gain insight into the reputation or security risk of the site.
GET /security/name/{domain}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
Request
curl -i GET "https://investigate.api.umbrella.com/security/name/example.com" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"dga_score": 38.301771886101335,
"perplexity": 0.4540313302593146,
"entropy": 2.5216406363433186,
"securerank2": -1.3135141095601992,
"pagerank": 0.0262532,
"asn_score": -29.75810625887133,
"prefix_score": -64.9070502788884,
"rip_score": -75.64720536038982,
"popularity": 25.335450495507196,
"geodiversity": [
0.24074075,
0.018518519
],
"geodiversity_normalized": [
0.3761535390278368,
0.0005015965168831449
],
"tld_geodiversity": [],
"geoscore": 0,
"ks_test": 0,
"attack": "",
"threat_type": "",
"found": true
}
Get Risk Score
Get the risk score for the domain. Umbrella Investigate scores the domain from 0 to 100. A score of 100 represents the highest risk whereas a score of 0 indicates no risk. A domain blocked by Umbrella receives a score of 100.
GET /domains/risk-score/{domain}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| domain | string | true | A domain name. |
Request
curl -i GET "https://investigate.api.umbrella.com/domains/risk-score/example.com" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"indicators": [
{"indicator": "Geo Popularity Score", "normalized_score": 2, "score": -3.610878169999999},
{"indicator": "Keyword Score", "normalized_score": 3, "score": 0.03586190445512534},
{"indicator": "Lexical", "normalized_score": 52, "score": 0.525},
{"indicator": "Popularity 1 Day", "normalized_score": 100, "score": 113.14},
{"indicator": "Popularity 30 Day", "normalized_score": 100, "score": 112.01},
{"indicator": "Popularity 7 Day", "normalized_score": 100, "score": 112.86},
{"indicator": "Popularity 90 Day", "normalized_score": 100, "score": 111.4},
{"indicator": "TLD Rank Score", "normalized_score": 1, "score": 0.010000315765229171},
{"indicator": "Umbrella Block Status", "normalized_score": 0, "score": false}
],
"risk_score": 4
}
Get ASN for IP Address
List the information about the Autonomous System Number (ASN) and IP relationship. Describe how IP addresses relate to each other and to the regional registries. The Autonomous System (AS) is part of the Border Gateway Protocol (BGP) routing for that IP. Each response contains the ASN, the CIDR prefix of the AS, the Internet Registry (RIR) number (0 through 6), the description of the AS, and the creation date for the AS.
GET /bgp_routes/ip/{ip}/as_for_ip.json
The IR number corresponds to one of the five Regional Internet Registries (RIR).
| Registry | Number | Region |
|---|---|---|
| Registry | 1 | AfriNIC: Africa |
| Registry | 2 | APNIC: Asia, Australia, New Zealand, and neighboring countries |
| Registry | 3 | ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica |
| Registry | 4 | LACNIC: Latin America and parts of the Caribbean region |
| Registry | 5 | RIPE NCC: Europe, Russia, the Middle East, and Central Asia |
| Registry | 0 | Unknown / Not Available |
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| ip | string | true | Provide an IPv4 address to obtain the AS information. |
Request
curl -i GET "https://investigate.api.umbrella.com/bgp_routes/ip/{ip}/as_for_ip.json" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"creation_date": "2002-08-01",
"ir": 2,
"description": "CHINANET-BACKBONE No.31,Jin-rong Street,CN 86400",
"asn": 4134,
"cidr": "123.172.0.0/15"
}
Get Top Million Domains
List the most requested domains in Umbrella.
GET /topmillion
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| limit | integer | false | Set the number of records to include in the response. If not set, the server response may contain one million records. |
Request
curl -i GET "https://investigate.api.umbrella.com/topmillion?limit=1000" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
[
"google.com",
"netflix.com",
"api-global.netflix.com",
"microsoft.com",
"www.google.com",
"facebook.com",
"doubleclick.net",
"g.doubleclick.net",
"googleads.g.doubleclick.net",
"hola.org"
]
Get Newly Seen Domains by Search
List newly seen domains in which the domain matches a specified regular expression pattern. Find the set of domains requested for the first time, within the specified time period. The response does not include domains seen before the specified time period, including well-known domains.
Note: The response may include domains that do not resolve. Occasionally, non-existent domains may appear in the response.
GET /search/{expression}
Search Operators
- An asterisk (
*) matches zero or more instances of the previous token. - A period (
.) matches exactly one character. - Brackets (
[]) matches a class of characters, for example: [0-9] for all numbers, or [a-z] for all letters. - Parentheses (
()) group tokens together for modifiers, for example:(ya)*matchesya,yaya, oryayaya. - Question mark (
?) matches one or zero instances of the previous token. For example,hi(ya)?matcheshiorhiya.
Note: You can use the period (.) character as a wildcard and as a literal in domain names. If you include the period (.) character as part of your pattern, you must escape it using the backslash (\\) character. For example,\\.umbrella\\.commatchesa.umbrella.comorb.umbrella.com.
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| expression | string | true | Specifies a standard regular expression pattern search string. Provide a regular expression string that is URL encoded. |
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| start | string | true | Specifies a relative or absolute time. Filter for data that appears after this time. To specify an absolute time, use an epoch time (Unix time) millisecond timestamp within the last 31 days since the specified time. To specify a relative time, use either seconds, minutes, hours, days or weeks, and prepend the time with a minus sign. Examples: -1days, -1000minutes, or -2weeks. You can use only one of the relative time enumerators per query. |
| stop | string | false | Specifies the exclusive end time in milliseconds or a relative time. Filter for data that appears before this time. Examples: now, -2days. |
| includeCategory | boolean | false | Enables or disables the inclusion of security categories in the response. The default value is false. |
| limit | integer | false | Specifies the maximum number of items to return in the collection. Use with the offset parameter to paginate the collection. |
| offset | integer | false | Specifies a number that represents an index into the collection. The default offset value is 0, the first record in the collection. |
| type | string | false | Specifies the search database node type. Valid values are: URL, IP, or HOST. |
Request
curl -i GET "https://investigate.api.umbrella.com/search/exa\[a-z\]ple.com?start=-30days&limit=10&includecategory=true" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"expression": "exa[a-z]ple.com",
"totalResults": 1,
"moreDataAvailable": false,
"limit": 1000,
"matches": [
{
"name": "example",
"firstSeen": 1432330927421,
"firstSeenISO": "2015-05-22T21:42:07.421Z",
"securityCategories": [
"Botnet"
]
}
]
}
Get WHOIS Domain
List the WHOIS information for the domain.
GET /whois/{domain}
Request
curl -i GET "https://investigate.api.umbrella.com/whois/google.com" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Click to view the sample response
{
"administrativeContactFax": null,
"whoisServers": "whois.markmonitor.com",
"addresses": [],
"administrativeContactName": null,
"zoneContactEmail": null,
"billingContactFax": null,
"administrativeContactTelephoneExt": null,
"administrativeContactEmail": null,
"technicalContactEmail": null,
"technicalContactFax": null,
"nameServers": [
"ns1.google.com",
"ns2.google.com",
"ns3.google.com",
"ns4.google.com"
],
"zoneContactName": null,
"billingContactPostalCode": null,
"zoneContactFax": null,
"registrantTelephoneExt": null,
"zoneContactFaxExt": null,
"technicalContactTelephoneExt": null,
"billingContactCity": null,
"zoneContactStreet": [],
"created": "1997-09-15",
"administrativeContactCity": null,
"registrantName": null,
"zoneContactCity": null,
"domainName": "google.com",
"zoneContactPostalCode": null,
"administrativeContactFaxExt": null,
"technicalContactCountry": "UNITED STATES",
"registrarIANAID": "292",
"updated": "2019-09-09",
"administrativeContactStreet": [],
"billingContactEmail": null,
"status": [
"clientDeleteProhibited clientTransferProhibited clientUpdateProhibited serverDeleteProhibited serverTransferProhibited serverUpdateProhibited"
],
"registrantCity": null,
"billingContactCountry": null,
"expires": "2028-09-14",
"technicalContactStreet": [],
"registrantOrganization": "Google LLC",
"billingContactStreet": [],
"registrarName": "MarkMonitor, Inc.",
"registrantPostalCode": null,
"zoneContactTelephone": null,
"registrantEmail": null,
"technicalContactFaxExt": null,
"technicalContactOrganization": "Google LLC",
"emails": [],
"registrantStreet": [],
"technicalContactTelephone": null,
"technicalContactState": "CA",
"technicalContactCity": null,
"registrantFax": null,
"registrantCountry": "UNITED STATES",
"billingContactFaxExt": null,
"timestamp": null,
"zoneContactOrganization": null,
"administrativeContactCountry": "UNITED STATES",
"billingContactName": null,
"registrantState": "CA",
"registrantTelephone": null,
"administrativeContactState": "CA",
"registrantFaxExt": null,
"technicalContactPostalCode": null,
"zoneContactTelephoneExt": null,
"administrativeContactOrganization": "Google LLC",
"billingContactTelephone": null,
"billingContactTelephoneExt": null,
"zoneContactState": null,
"administrativeContactTelephone": null,
"billingContactOrganization": null,
"technicalContactName": null,
"administrativeContactPostalCode": null,
"zoneContactCountry": null,
"billingContactState": null,
"auditUpdatedDate": "2021-06-25 06:47:48 UTC",
"recordExpired": false,
"timeOfLatestRealtimeCheck": 1624607404215,
"hasRawText": true
}
Get WHOIS by Search Field and Search
List the WHOIS records that match the specified regular expression. Search the WHOIS domain, nameserver, or email fields which were updated or created within the specified time period. You can set the offset and limit query parameters to paginate the collection. By default, Umbrella Investigate sorts the collection by the updated search field.
GET /whois/search/{searchField}/{regularExpression}
Search Operators
- An asterisk (
*) matches zero or more instances of the previous token. - A period (
.) matches exactly one character. - Brackets (
[]) matches a class of characters, for example: [0-9] for all numbers, or [a-z] for all letters. - Parentheses (
()) group tokens together for modifiers, for example:(ya)*matchesya,yaya, oryayaya. - Question mark (
?) matches one or zero instances of the previous token. For example,hi(ya)?matcheshiorhiya.
Note: You can use the period (.) character as a wildcard and as a literal in domain names. If you include the period (.) character as part of your pattern, you must escape it using the backslash (\\) character. For example,\\.umbrella\\.commatchesa.umbrella.comorb.umbrella.com.
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| regularExpression | string | true | Specifies a standard regular expression pattern search string. Provide a regular expression string that is URL encoded. |
| searchField | string | true | Specifies a field name to use in the regular expression search. Valid field names: domain, nameserver, or email. |
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| start | string | true | Specifies a relative or absolute time. Filter for data that appears after this time. To specify an absolute time, use an epoch time (Unix time) millisecond timestamp within the last 31 days since the specified time. To specify a relative time, use either seconds, minutes, hours, days or weeks, and prepend the time with a minus sign. Examples: -1days, -1000minutes, or -2weeks. You can use only one of the relative time enumerators per query. |
| stop | string | false | Specifies the exclusive end time in milliseconds or a relative time. Filter for data that appears before this time. Examples: now, -2days. |
| limit | integer | false | Specifies the maximum number of items to return in the collection. Use with the offset parameter to paginate the response. The default limit is 10. |
| offset | integer | false | Specifies a number that represents the index into the collection. The default offset value is 0, the first record in the collection. |
| sortField | string | false | Specifies the sort type. Valid values are: created, updated, expires, or domainname. The default value is updated. |
Request
curl -i GET "https://investigate.api.umbrella.com/whois/search/domain/exa\[a-z\]ple.com?start=-30days&limit=10&sortField=updated" \
-H 'Authorization: Bearer %YourToken%' \
-H 'Content-Type: application/json'
Response
Sample response (200, OK):
{
"totalResults": 500,
"offset": 0,
"moreDataAvailable": true,
"limit": 10,
"sortField": "updated",
"records": []
}
Get Samples for Domain, IP, or URL
Specify a domain, IP, or URL. Use the destination to search for all samples associated with the destination. The default number of items in a response is 10. You can extend the limit. You must have a license for Cisco Secure Malware Analytics to receive the samples data.
Cisco Secure Malware Analytics retains checksum samples for one year. You may find that Umbrella Investigate previously listed an associated checksum sample for an IP or domain, but the sample is no longer considered related to the destination by Cisco Secure Malware Analytics.
An error may occur when the requested destination is not in a valid format, if the requested host is not found in our database, or if there is no data available for the destination that you have requested. CIDR subnets (for example: 10.10.10.0/24) and pattern search is not supported.
GET https://investigate.api.um/samples/{destination}
Request Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| destination | string | true | A domain, IP, or URL. For example: cisco.com, 195.22.28.196, or https://cisco.com. |
Request Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| limit | integer | false | The number of items to return from the collection. The default is 10. Increase the limit to request a larger set of data. |
| offset | integer | false | A number that represents an index into the collection. By default, the offset is 0 (the first record). |
| sortby | string | false | Sort the sample based on optional fields. Valid values are: first-seen, last-seen, or score. The default value is score. |
Request
curl -L --location-trusted --request GET --url "https://investigate.api.um/samples/{destination}" \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'
Response
Click to view the sample response (200, OK)
[
{
"query": "google.com",
"totalResults": 10,
"moreDataAvailable": true,
"limit": 10,
"offset": 0,
"samples": [
{
"sha256": "e9d3470c37dada28d5a32fb53a243c5b20def35bb01abf8f5403182cc2b91fdd",
"sha1": "de182fdcc3c0d473b90a0df0ad14c2074d1e7c50",
"md5": "282f80e8a2cf9e0e0dd72093787d99c6",
"magicType": "PE32 executable (GUI) Intel 80386, for MS Windows",
"threatScore": 100,
"size": 192512,
"firstSeen": "1460108539000",
"lastSeen": "1460108539000",
"visible": true,
"avresults": [
{
"signature": "Win.Trojan.Ramnit",
"product": "ClamAV"
},
{
"signature": "Win.Trojan.Parite",
"product": "ClamAV"
}
]
}
]
}
]