Our threat intelligence feed is for any legal or legal-adjacent professional wanting to collect Indicators of Compromise (IOCs) in order to build or improve their security program. Intelligence is aggregated from several sources, including the RelativityOne environment, our network of legal-specific honeypots, and open source intelligence feeds. The feed is maintained by Calder7, Relativity’s in-house security team.
For more information on how we source our indicators, please contact security@relativity.com.
https://intel.relativity.com/api/v3/indicatorsParameters
| Param | Type | Description |
|---|---|---|
| first_seen_start (optional) | string | Date indicator first seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide first_seen_end. |
| first_seen_end (optional) | string | Date indicator first seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide first_seen_start. |
| last_seen_start (optional) | string | Date indicator last seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide last_seen_end. |
| last_seen_end (optional) | string | Date indicator last seen by Relativity, in ISO 8601 format YYYY-MM-DD. If passing this parameter, must also provide last_seen_start. |
| min_confidence (optional) | int | Minimum confidence score. Confidence is calculated based on source of indicator, history of malicious use, and aggregation with other intelligence scores. |
| threat_type (optional) | string | Values: scanning, C2 |
| data (optional) | string | Indicator value (e.g. example.com, 192.158.1.38, etc.) |
| country (optional) | string | Full country name (e.g. United States, China, etc.) |
Authenticaton
| Method | OAuth 2.0 Bearer token, required header Authorization: Bearer MY_TOKEN |
|---|---|
| Rate Limit | We currently do not enforce rate limiting |
Example Output:
{
"TLP": "GREEN",
"date": "Tue, 23 Mar 2021 19:51:11 GMT",
"description": "Our threat intelligence feed is for any legal or legal-adjacent professional wanting to collect Indicators of Compromise (IOCs) in order to build or improve their security program.",
"name": "Relativity Threat Intelligence Feed",
"usage": "This data is not to be resold or used for profit.",
"version": "v3",
"feed": [
{
"ASN": "26496",
"active": true,
"confidence": 100,
"country": "United States",
"credibility": 100,
"data": "198.12.224.76",
"details": "",
"first_seen": "2021-03-18",
"id": "623ed70c-1ac8-476c-81bc-8c41a1ecec5a",
"last_seen": "2021-03-18",
"osint": {
"blocklistde443": {
"firstseen": "2020-12-02",
"lastseen": "2021-03-15"
},
"blocklistde80": {
"firstseen": "2020-12-01",
"lastseen": "2021-03-15"
},
"blocklistdeapache": {
"firstseen": "2020-12-02",
"lastseen": "2021-03-15"
},
"blocklistdebruteforcelogin": {
"firstseen": "2020-12-02",
"lastseen": "2021-03-15"
},
"forumspam": {
"firstseen": "2020-12-04",
"lastseen": "2020-12-06"
}
},
"registration": {
"date": "2013-04-05",
"registrant": "AS-26496-GO-DADDY-COM-LLC, US"
},
"rule": "",
"severity": "Moderate",
"tags": [],
"threat_type": "unknown",
"type": "ip"
}
]
}
Field Descriptions
| Field | Type | Description |
|---|---|---|
| ASN | int | Autonomous System Number associated with IP or domain |
| active | bool | True if activity has been seen in the last 90 days |
| confidence | int | Confidence is calculated based on source of indicator, history of malicious use, and aggregation with other intelligence scores. |
| country | string | Full country name |
| credibility | int | Credibility of source (i.e. Relativity) |
| data | string | Indicator value (e.g. example.com, 192.158.1.38, etc.) |
| details | string | Additional information about data |
| first_seen | string | Date first seen by Relativity in ISO 8601 format YYYY-MM-DD |
| id | string | Unique indicator id |
| last_seen | string | Date first seen by Relativity in ISO 8601 format YYYY-MM-DD |
| osint | list | Data from other OSINT feeds |
| registration | dict[string,string] | Registration info (date, registrant) |
| rule | string | Detection rule (i.e. Snort rule, detection signature) |
| severity | string | Values: low, moderate, high, critical |
| tags | list[string] | Tag values containing additional identifiers |
| threat_type | string | Values: scanning, C2 |
| type | string | Indicator type, Values: ip, domain) |
Code Snippets
Python
import requests
url = "https://intel.relativity.com/api/v3/indicators"
params = {
"first_seen_start": "2021-03-01",
"first_seen_end": "2021-03-09",
"min_confidence": 90
}
headers = {"Authorization": "Bearer MY_TOKEN"}
response = requests.get(url, params=params, headers=headers)
content = response.json()
Curl
curl -G --data-urlencode "first_seen_start=2021-03-18" --data-urlencode "first_seen_end=2021-03-18" -H "Authorization: Bearer MY_TOKEN" https://intel.relativity.com/api/v3/indicators
Status Codes
| Code | Description |
|---|---|
| 200 | Success |
| 400 | Invalid parameters provided |
| 401 | Token not provided |
| 403 | Provided token is invalid, user does not have permission to access this site |
| 405 | Method not allowed. GET is supported method. |
| 500 | Internal server error, please contact security@relativity.com |
| 503 | System service currently unavailable, may be down for maintenance |
To use our feed, please log in via the Relativity Community and generate a token.
Generate TokenFor questions or feedback, please email security@relativity.com. Visit our website for additional information on our company and products.