Cyber Threat Intelligence API
The Cyber Threat Intelligence API provides real-time access to threat data, indicators of compromise (IoCs), vulnerability information, and threat actor analysis through Cognix's threat intelligence platform.
Getting Started
Authentication
All API requests require authentication using a Bearer token in the Authorization header:
Authorization: Bearer YOUR_API_KEY
Please contact support at cognix.au/contact-us to obtain an API key.
API Reference
1. Threat Indicators API
Retrieve and analyze Indicators of Compromise (IoCs).
Endpoint: GET https://api.cognix.au/v1/threat/indicators
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| type | string | No | IoC type (ip, domain, hash, url) |
| confidence | integer | No | Minimum confidence score (0-100) |
| date_range | string | No | Date range format: YYYY-MM-DDtoYYYY-MM-DD |
| limit | integer | No | Number of results (default: 100) |
Example Response
{
"status": "success",
"data": {
"indicators": [
{
"id": "ioc_123",
"type": "ip",
"value": "192.0.2.1",
"confidence": 95,
"first_seen": "2024-01-15T10:30:00Z",
"last_seen": "2024-01-31T15:45:00Z",
"threat_types": ["malware_c2", "botnet"],
"malware_families": ["emotet"],
"tags": ["ransomware", "financial"],
"references": ["https://example.com/threat-report-123"]
}
],
"meta": {
"total_count": 1500,
"filtered_count": 100,
"confidence_average": 87
}
}
}
2. Threat Actor Analysis API
Access detailed information about known threat actors and their activities.
Endpoint: GET https://api.cognix.au/v1/threat/actors
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| actor_id | string | No | Specific threat actor identifier |
| category | string | No | Actor category (state, criminal, hacktivist) |
| capability | string | No | Technical capability level |
| target_sector | string | No | Targeted industry sector |
Example Response
{
"status": "success",
"data": {
"actor": {
"id": "APT_123",
"name": "FancyBear",
"aliases": ["APT28", "STRONTIUM"],
"category": "state",
"first_seen": "2008-01-01",
"capability_level": "advanced",
"typical_targets": ["government", "defense", "technology"],
"ttps": ["T1566: Phishing", "T1587: Develop Capabilities"],
"associated_malware": ["X-Agent", "CHOPSTICK"],
"recent_campaigns": [
{
"name": "Operation Ghost",
"start_date": "2024-01-01",
"status": "active",
"targeted_regions": ["APAC", "EU"]
}
]
}
}
}
3. Vulnerability Intelligence API
Monitor and analyze vulnerability information and exploitation status.
Endpoint: GET https://api.cognix.au/v1/threat/vulnerabilities
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| cve_id | string | No | Specific CVE identifier |
| severity | string | No | Minimum severity level |
| exploit_status | string | No | Exploitation status filter |
| affected_product | string | No | Affected product or technology |
Example Response
{
"status": "success",
"data": {
"vulnerability": {
"cve_id": "CVE-2024-1234",
"severity": "critical",
"cvss_score": 9.8,
"status": {
"patch_available": true,
"exploit_available": true,
"actively_exploited": true
},
"affected_products": [
{
"vendor": "ExampleTech",
"product": "SecurityApp",
"versions": ["1.0.0", "1.1.0"]
}
],
"exploitation_details": {
"ease": "low",
"authentication_required": false,
"known_exploits": 3
},
"mitigation_steps": [
"Update to version 1.1.1",
"Apply network segmentation"
]
}
}
}
4. MITRE ATT&CK Framework API
Access MITRE ATT&CK framework mappings and techniques.
Endpoint: GET https://api.cognix.au/v1/threat/mitre
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| technique_id | string | No | Specific ATT&CK technique ID |
| tactic | string | No | Specific tactic category |
| actor_id | string | No | Filter by associated threat actor |
| platform | string | No | Target platform (Windows, Linux, etc.) |
Example Response
{
"status": "success",
"data": {
"technique": {
"technique_id": "T1566",
"name": "Phishing",
"tactic": "Initial Access",
"platforms": ["Windows", "macOS", "Linux"],
"detection": {
"analytics": [
"Monitor for suspicious email attachments",
"URL reputation checking"
],
"data_sources": ["Email gateway logs", "Network traffic logs"]
},
"observed_actors": [
{
"actor_id": "APT_123",
"confidence": "high",
"last_observed": "2024-01-15"
}
],
"mitigations": [
{
"id": "M1049",
"name": "Antivirus/Antimalware",
"description": "Use anti-virus/anti-malware tools"
}
]
}
}
}
5. Dark Web Monitoring API
Monitor dark web activities and threats.
Endpoint: GET https://api.cognix.au/v1/threat/darkweb
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| keywords | string | No | Search keywords or phrases |
| category | string | No | Threat category filter |
| date_range | string | No | Date range for monitoring |
| source_type | string | No | Type of dark web source |
Example Response
{
"status": "success",
"data": {
"alerts": [
{
"id": "alert_789",
"timestamp": "2024-01-31T12:00:00Z",
"source": {
"type": "forum",
"name": "redacted",
"credibility": "high"
},
"content": {
"type": "credential_leak",
"affected_organization": "example.com",
"details": "Sanitized description of the threat",
"indicators": ["compromised_data_type", "asking_price"]
},
"risk_assessment": {
"severity": "high",
"immediacy": "immediate",
"recommended_actions": [
"Reset affected credentials",
"Monitor for unauthorized access"
]
}
}
],
"summary": {
"total_mentions": 25,
"trending_topics": ["ransomware", "zero_day_exploits"],
"risk_level": "elevated"
}
}
}
Error Handling
Response Codes
| Code | Description |
|---|---|
| 200 | Success - Request completed successfully |
| 400 | Bad Request - Invalid parameters or malformed request |
| 401 | Unauthorized - Invalid or missing API key |
| 403 | Forbidden - Valid API key but insufficient permissions |
| 404 | Not Found - Requested resource doesn't exist |
| 429 | Too Many Requests - Rate limit exceeded |
| 500 | Internal Server Error - Server-side error occurred |
| 503 | Service Unavailable - Temporary server maintenance |
Error Response Format
{
"status": "error",
"error": {
"code": "ERROR_CODE",
"message": "Human-readable error message",
"details": {
"field": "Additional context about the error",
"suggestion": "Recommended action to resolve the error"
}
},
"request_id": "unique-request-identifier"
}
Common Error Codes
Authentication Errors
| Error Code | Description | Resolution |
|---|---|---|
INVALID_API_KEY | The provided API key is not valid | Please contact support at https://cognix.au/contact-us to verify your API key |
EXPIRED_API_KEY | The API key has expired | Generate a new API key |
MISSING_API_KEY | No API key provided in the request | Include API key in Authorization header |
CTI-Specific Errors
| Error Code | Description | Resolution |
|---|---|---|
INVALID_IOC | Invalid IoC format | Check IoC format requirements |
FEED_UNAVAILABLE | Requested threat feed is temporarily unavailable | Retry request after delay |
INVALID_CVE | Invalid CVE identifier | Verify CVE ID format |
SEARCH_TIMEOUT | Dark web search exceeded time limit | Refine search parameters |
Best Practices for Error Handling
- Always check the status field in the response
- Implement retry logic with exponential backoff for rate limits
- Log the request_id for all errors
- Monitor error rates to detect potential issues
- Handle errors gracefully in your application