GreedyBear API

GET /api/feeds/{feed_type}/{attack_type}/{age}.{format}

Get the feeds data

Returns the feeds (it will be updated regularly every 10 mins)

Parameters

• feed_type (string) –

  The available feed_type are:

  • log4j - attacks detected from the Log4pot

  • cowrie - attacks detected from the Cowrie Honeypot

  • all - get all types at once

• attack_type (string) –

  The available attack_type are:

  • scanner - IP addresses captured by the honeypots while performing attacks

  • payload_request - IP addresses and domains extracted from payloads that would have been executed after a specific attack would have been successful.

  • all - get all types at once

• age (string) –

  The available age are:

  • recent - most recent IOCs seen in the last 3 days

  • persistent - these IOCs are the ones that were seen regularly by the honeypots. This feeds will start empty once no prior data was collected and will become bigger over time.

• format (string) –

  The available format are:

  • txt - plain text (just one line for each IOC)

  • csv - CSV-like file (just one line for each IOC)

  • json - JSON file with additional information regarding the IOCs

Status Codes

• 200 OK – successful operation

• 400 Bad Request – Invalid Input supplied

• 404 Not Found – Not found

GET /api/enrichment

Get data about a specific IOC

Query for a specific observable in database and return data about it.

Query Parameters

• query (string) –

  Query for an observable_name. The observable_name can be:

  • An valid IP or domain

  (Required)

Status Codes

• 200 OK – successful operation

• 400 Bad Request – Observable IP does not pass the regex check