Relativity Threat Intelligence Feed

Our threat intelligence feed is for any legal or legal-adjacent professional wanting to collect Indicators of Compromise (IOCs) in order to build or improve their security program. Intelligence is aggregated from several sources, including the RelativityOne environment, our network of legal-specific honeypots, and open source intelligence feeds. The feed is maintained by Calder7, Relativity’s in-house security team.

For more information on how we source our indicators, please contact security@relativity.com.

API


Endpoints
  • Retrieve indicators

  • Get indicators
     https://intel.relativity.com/api/v3/indicators

    Parameters

    Param Type Description
    first_seen_start (optional) string Date indicator first seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide first_seen_end.
    first_seen_end (optional) string Date indicator first seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide first_seen_start.
    last_seen_start (optional) string Date indicator last seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide last_seen_end.
    last_seen_end (optional) string Date indicator last seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide last_seen_start.
    min_confidence (optional) int Minimum confidence score. Confidence is calculated based on source of indicator, history of malicious use, and aggregation with other intelligence scores.
    threat_type (optional) string Values: scanning, C2
    data (optional) string Indicator value (e.g. example.com, 192.158.1.38, etc.)
    country (optional) string Full country name (e.g. United States, China, etc.)

    Authenticaton

    Method OAuth 2.0 Bearer token, required header

    Authorization: Bearer MY_TOKEN
    Rate Limit We currently do not enforce rate limiting

    Example Output:

    
    {
      "TLP": "GREEN",
      "date": "Tue, 23 Mar 2021 19:51:11 GMT",
      "description": "Our threat intelligence feed is for any legal or legal-adjacent professional wanting to collect Indicators of Compromise (IOCs) in order to build or improve their security program.",
      "name": "Relativity Threat Intelligence Feed",
      "usage": "This data is not to be resold or used for profit.",
      "version": "v3",
      "feed": [
        {
          "ASN": "26496",
          "active": true,
          "confidence": 100,
          "country": "United States",
          "credibility": 100,
          "data": "198.12.224.76",
          "details": "",
          "first_seen": "2021-03-18",
          "id": "623ed70c-1ac8-476c-81bc-8c41a1ecec5a",
          "last_seen": "2021-03-18",
          "osint": {
            "blocklistde443": {
              "firstseen": "2020-12-02",
              "lastseen": "2021-03-15"
            },
            "blocklistde80": {
              "firstseen": "2020-12-01",
              "lastseen": "2021-03-15"
            },
            "blocklistdeapache": {
              "firstseen": "2020-12-02",
              "lastseen": "2021-03-15"
            },
            "blocklistdebruteforcelogin": {
              "firstseen": "2020-12-02",
              "lastseen": "2021-03-15"
            },
            "forumspam": {
              "firstseen": "2020-12-04",
              "lastseen": "2020-12-06"
            }
          },
          "registration": {
            "date": "2013-04-05",
            "registrant": "AS-26496-GO-DADDY-COM-LLC, US"
          },
          "rule": "",
          "severity": "Moderate",
          "tags": [],
          "threat_type": "unknown",
          "type": "ip"
        }
      ]
    }
        

    Field Descriptions

    Field Type Description
    ASN int Autonomous System Number associated with IP or domain
    active bool True if activity has been seen in the last 90 days
    confidence int Confidence is calculated based on source of indicator, history of malicious use, and aggregation with other intelligence scores.
    country string Full country name
    credibility int Credibility of source (i.e. Relativity)
    data string Indicator value (e.g. example.com, 192.158.1.38, etc.)
    details string Additional information about data
    first_seen string Date first seen by Relativity in ISO 8601 format YYYY-MM-DD
    id string Unique indicator id
    last_seen string Date first seen by Relativity in ISO 8601 format YYYY-MM-DD
    osint list Data from other OSINT feeds
    registration dict[string,string] Registration info (date, registrant)
    rule string Detection rule (i.e. Snort rule, detection signature)
    severity string Values: low, moderate, high, critical
    tags list[string] Tag values containing additional identifiers
    threat_type string Values: scanning, C2
    type string Indicator type, Values: ip, domain)

    Code Snippets

    Python

    
    import requests
    url = "https://intel.relativity.com/api/v3/indicators"
    params = {
      "first_seen_start": "2021-03-01",
      "first_seen_end": "2021-03-09",
      "min_confidence": 90
    }
    headers = {"Authorization": "Bearer MY_TOKEN"}
    response = requests.get(url, params=params, headers=headers)
    content = response.json()
              

    Curl

    
    curl -G --data-urlencode "first_seen_start=2021-03-18" --data-urlencode "first_seen_end=2021-03-18" -H "Authorization: Bearer MY_TOKEN" https://intel.relativity.com/api/v3/indicators
              

    Status Codes

    Code Description
    200 Success
    400 Invalid parameters provided
    401 Token not provided
    403 Provided token is invalid, user does not have permission to access this site
    405 Method not allowed. GET is supported method.
    500 Internal server error, please contact security@relativity.com
    503 System service currently unavailable, may be down for maintenance

    Register

    To use our feed, please log in via the Relativity Community and generate a token.

    Generate Token

    Support

    For questions or feedback, please email security@relativity.com. Visit our website for additional information on our company and products.