ONYPHE

Bulk Simple Best API

The Bulk Simple Best API allows to fetch a single result, the best matching one, by providing a list contained within a text file. You have to provide a unique value for the asset, which can only be an IP address. You can just pass the asset value and not a full ONYPHE Query Language search. Only a few categories are useful in this context, which are the following:


Bulk Simple Best Geoloc, Inetnum & Whois Best endpoints will return the geolocation of the given address, and the smallest network (subnet field) will be the best match.

Bulk Simple Best Threatlist Best will return a result if an entry has been found in threatlist category within the last 48-hours. The idea behind this endpoint is that you want to know if an address has been considered as malicious in the past few days only. IP addresses are sometimes cleaned-up and do not pose a threat anymore.

Using curl

You can use curl in the following way to call the Bulk Simple Best API:

echo '1.1.1.1' > /tmp/ip.txt
echo '8.8.8.8' >> /tmp/ip.txt

curl -H 'Content-Type: application/json' -H 'Authorization: bearer YOUR_APIKEY' -XPOST 'https://www.onyphe.io/api/v2/bulk/simple/whois/best/ip' --data-binary @/tmp/ip.txt

Output:

{"@category":"whois","@timestamp":"2023-02-20T22:30:45.000Z",[..]
{"@category":"whois","@timestamp":"2023-03-04T06:00:30.000Z",[..]

Using curl against Unrated API endpoint

If you want to query against the Unrated API endpoint, you have to pass the API key as an HTTP parameter as the Authorization header will be used to store Basic authentication credentials based on your login email address and your API key as a password:

LOGIN=`echo -n YOUR_LOGIN_EMAIL | sed 's/@/_/g'`
PASS=YOUR_APIKEY
BASIC=`echo -n $LOGIN:$PASS | base64 -w 0`
curl -H 'Content-Type: application/json' -H "Authorization: basic $BASIC" -XPOST 'https://www.onyphe.io/unrated/api/v2/bulk/simple/whois/best/ip?k=YOUR_APIKEY' --data-binary @/tmp/ip.txt