Navigation

riskiq package

Submodules

riskiq.api module

RiskIQ API

class riskiq.api.Client(token, key, server='ws.riskiq.net', version='v1', http_proxy=None, https_proxy=None)

Bases: object

RiskIQ API Client

Example:

from riskiq.api import Client
# Put credentials here.
token, key = None, None
client = Client(token, key)

# Submit URLs to your project
urls = ['http://evilexample.com/evil.php?shell=true', ...]
client.submit_landing_page_bulk(urls, project_name='Example')

# Get blacklist list from varying date ranges
client.get_blacklist_list(days=5)
data = client.get_blacklist_list(
    start="2014/08/01 00:00:00", end="today 00:00:00"
)
results = data['resources']
all_malware = [x for x in results if x['malware']]
TIMEOUT = 60
classmethod from_config()
get_affiliate_campaign_summary(days=1, start=None, end=None)

Return the affiliate campaign summary report for the given date range.

Parameters:
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

data containing the number of results and the objects
get_affiliate_incident_list(known_profile=None, max_results=None, days=1, start=None, end=None)

Return the affiliate campaign summary report for the given date range.

Parameters:
  • known_profile – Bool, only return incidents that match a known profile
  • max_results – maximum number of results to return
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

data containing the number of results and the objects
get_android(package_name)

Retrieve an android application by package name. If the app is not found, 404 NOT FOUND is returned.

Parameters:package_name – name of android package
Returns:the requested app
get_android_lookup(url)

Retrieve an android app by store URL. The store URL should be of the form https://play.google.com/store/apps/details?id=[package name]

Parameters:url – The store URL
Returns:app details
get_binary_data(md5_hash)

Query for the binary encoded base64 with the given md5 hash

Parameters:md5_hash – md5 hash of the binary data
Returns:object containing a dict with ‘data’ key encoded in base64
get_binary_list(virus_total_only=None, client_workspace_only=None, days=1, start=None, end=None)

Return a list of all binaries in date range

Parameters:
  • virus_total_only – Bool, only include those flagged by VT
  • client_workspace_only – Bool, only include those found in crawls
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

data containing the number of results and the objects
get_blacklist_incident(url)

Query blacklist incidents by url.

Parameters:url – URL to query blacklist on.
Returns:Blacklist incident
get_blacklist_incident_list(all_workspace_crawls=None, days=1, start=None, end=None, timeout=None)

Query blacklist incidents

Parameters:url – list of blacklist incidents within timeframe
:param all_workspace_crawls:False by default, filtered to crawls that
are either landing pages, site scanning, or matching a brand classifier
Parameters:
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

Blacklist list
get_blacklist_list(blacklist_filter=None, days=1, start=None, end=None)

Query blacklisted resources

Parameters:
  • blacklist_filter – None, or one of ‘blackhole’, ‘sakura’, ‘exploitKit’
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

all blacklisted resources
get_blacklist_lookup(url)

Query blacklist on url.

Parameters:url – URL to query blacklist on.
Returns:Blacklist Dict
get_blacklist_malware(blacklist_filter=None, confidence=None, days=1, start=None, end=None)

Query for all discovered malware resources generated within a particular period.

Parameters:
  • blacklist_filter – None, or one of ‘blackhole’, ‘sakura’, ‘exploitKit’
  • confidence – to restrict the result set by malicious probability ‘H’, ‘M’, ‘L’ (high, medium, low)
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

all blacklisted resources
get_crawl_volume_daily_summary(days=1, start=None, end=None)

Query for the crawl volume daily summary report for the date range

Parameters:
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

crawl volume daily summary
get_dns_data_by_data(hostname, rrtype=None, maxresults=1000)

Get the passive dns results by ip address, query data

Parameters:
  • ip – IP address of query, can also include wildcard, e.g. 192.168.0.*
  • rrtype – Record Type to limit searches to
  • maxresults – Max Results to Return(default 1,000)
Returns:

return a JSON object of the data
get_dns_data_by_ip(ip, rrtype=None, maxresults=1000)

Get the passive dns results by ip address, query data

Parameters:
  • ip – IP address of query, can also include wildcard, e.g. 192.168.0.*
  • rrtype – Record Type to limit searches to
  • maxresults – Max Results to Return(default 1,000)
Returns:

return a JSON object of the data
get_dns_data_by_name(name, rrtype=None, maxresults=1000)

Get the passive dns results by hostname.

Parameters:
  • name – hostname to query. Can also use wildcards, e.g. *.test.com
  • rrtype – Record Type to limit searches to
  • maxresults – Max Results to Return(default 1,000)
Returns:

return a JSON object of the data
get_dns_ptr_by_ip(ip, rrtype=None, maxresults=1000)

Get the reverse dns of a particular IP.

Parameters:
  • ip – IP Address to Query.
  • rrtype – Record Type to limit searches to
  • maxresults – Max Results to Return(default 1,000)
Returns:

return a JSON object of the data
get_landing_page(md5_hash, whois=None)

Retrieve a single landing page by MD5.

Parameters:
  • md5_hash – md5 of the landing page
  • whois – Bool, whether to include whois information
Returns:

landing page data
get_landing_page_crawled(whois=None, days=None, start=None, end=None)

List landing pages by crawl date - maximum of 100

Parameters:
  • whois – Bool, whether to include whois information
  • days – How many days you want to grab
  • start – Which date to start from, use time_format.
  • end – Date to end, use time_format.
Returns:

landing page data
get_landing_page_flagged(whois=None, days=None, start=None, end=None)

List landing pages by known profile creation date - maximum of 100

Parameters:
  • whois – Bool, whether to include whois information
  • days – How many days you want to grab
  • start – Which date to start from, use time_format.
  • end – Date to end, use time_format.
Returns:

landing page data
get_landing_page_malicious_binary(whois=None, days=1, start=None, end=None)

List landing pages with malicious binary incidents.

Parameters:
  • whois – Bool, whether to include whois information
  • days – How many days you want to grab
  • start – Which date to start from, use time_format.
  • end – Date to end, use time_format.
Returns:

landing page data
get_landing_page_projects()

List all projects that landing pages may be submitted to.

Returns:all projects
get_mobile_incident(incident_id)

Retrieve an mobile app incident by ID. If the incident is not found, 404 NOT FOUND is returned.

Parameters:incident_id – Long int ID
Returns:mobile incident
get_mobile_incident_list(days=1, start=None, end=None)

List app incidents by their incident creation date.

Parameters:
  • days – How many days you want to grab
  • start – Which date to start from, use time_format.
  • end – Date to end, use time_format.
Returns:

mobile incidents
get_page(crawl_guid, page_guid)

retrieve a page and return it

Parameters:
  • crawl_guid – crawl GUID
  • page_guid – page GUID
Returns:

requested page
get_page_child_dom(crawl_guid, page_guid, child_guid)

retrieve a page and return its DOM

Parameters:
  • crawl_guid – crawl GUID
  • page_guid – page GUID
  • child_guid – child GUID
Returns:

requested page
get_page_child_dom_text(crawl_guid, page_guid, child_guid)

retrieve a page and return its DOM text

Parameters:
  • crawl_guid – crawl GUID
  • page_guid – page GUID
  • child_guid – child GUID
Returns:

requested page
get_page_child_response(crawl_guid, page_guid, child_guid)

retrieve a page and return its response

Parameters:
  • crawl_guid – crawl GUID
  • page_guid – page GUID
  • child_guid – child GUID
Returns:

requested page
get_page_dom(crawl_guid, page_guid)

retrieve a page and return its DOM

Parameters:
  • crawl_guid – crawl GUID
  • page_guid – page GUID
Returns:

requested page
get_page_response(crawl_guid, page_guid)

retrieve a page and return it

Parameters:
  • crawl_guid – crawl GUID
  • page_guid – page GUID
Returns:

requested page
get_project_keywords(project_id)

List all keywords associated to specified project.

Parameters:project_id – Integer ID of the project
Returns:Keywords of project
get_project_list()

List all projects.

get_proxy_ip(ip)

Lookup a proxy by IP

Parameters:ip – ip address of proxy
Returns:proxy
get_zlist_urls(days=1, start=None, end=None)

Get the current zlist urls.

Parameters:
  • days – How many days you want to grab
  • start – Which date to start from, use time_format.
  • end – Date to end, use time_format.
Returns:

all URLs
submit_landing_page(url, **kwargs)

Submit a single landing page.

Parameters:
  • url – Url to submit. Only required parameter.
  • keyword – Optional Keyword for this landing page.
  • md5_hash – Optional MD5 representing the canonical ID for this landing page
  • project_name – Optional Project name to submit landing page to
  • pingback_url – Optional URL to be GET requested upon completion of analysis of the landing page
  • fields – Optional dictionary of custom fields
Returns:

returns json of landing page.
submit_landing_page_bulk(entries, **kwargs)

Submit landing pages in bulk At least url must be specified.

Parameters:entries – list of dictionaries specifying the below
Entry_key url:Url to submit.
Entry_key keyword:
 Optional Keyword for this landing page.
Entry_key md5_hash:
 Optional MD5 representing the canonical ID for this landing page
Entry_key project_name:
 Optional Project name to submit landing page to
Entry_key pingback_url:
 Optional URL to be GET requested upon completion of analysis of the landing page
Entry_key fields:
 Optional dictionary of custom fields
Returns:returns json of landing page bulk request.
riskiq.api.date_range(days=1, start=None, end=None)

Generate a start date and an end date based off of how many days.

Parameters:
  • days – How many days to include from today(for generating 30 day time windows, etc.)
  • start – Override start date.
  • end – Override end date
Returns:

(start, end) tuple of strings in acceptable date format
riskiq.api.format_date(dt, day=False)

Generates a date string in the required format from a datetime object.

Parameters:
  • dt – Datetime object
  • day – Bool, whether to take the floor of the day (1 means beginning of today since midnight)
Returns:

string in acceptable date format
riskiq.api.today()

Generates a date string for today.

Returns:Date string of today in “yyyy-mm-dd” format, accepted by API

riskiq.config module

class riskiq.config.Config(**kwargs)

Bases: object

get(item, default=None)
load_config(**kwargs)
options
write_config()

riskiq.render module

riskiq.render.renderer(data, template_file, verbose=False, oneline=False)

Render the template with supplied context. Example template_file: “blacklist/lookup”

Module contents

RiskIQ API

Table Of Contents

Previous topic

Welcome to RiskIQ API’s documentation!

This Page

Navigation

© Copyright 2014, Johan Nestaas, Darren Spruell, James Pleger. Created using Sphinx 1.2.2.