ThreatMiner API

This API enables users to create automated solutions to query against ThreatMiner's database.

If you encounter any problems with any of the following features, please email threatminer.org [{a}] gmail.com or send a direct message to @threatminer.

Basics

By default, the ThreatMiner API returns results in JSON format. There are three key attributes in each result:

  • status_code - 200 if results are found, 404 if not.
  • status_message - text explanation of the status_code.
  • results - this is where the results are returned and the exact JSON structure returned differs per query type.
Below is an example of the return results of a query on a given domain:

API Calls


IMPORTANT NOTE: Please note that the rate limit is set to 10 queries per minute.


Indicator type Example Query URI Flags and Results Note
Domain N/A
IP N/A
Samples N/A
Import hash (imphash) N/A
SSDeep N/A
SSL N/A
Email (Reverse WHOIS) N/A
AV Detection N/A
APTNotes to IOCs N/A
Search APTNotes
Flag Query Type Example Query URI
rt=1 Full text search reports https://api.threatminer.org/v2/reports.php?q=sofacy&rt=1
rt=2 Get reports by year https://api.threatminer.org/v2/reports.php?q=2016&rt=2
N/A
NOTICE: We have updated our privacy terms and conditions in accordance to GDPR. By using our site, you acknowledge that you have read and understand our Privacy Policy. Your use of ThreatMiner’s Products and Services is subject to these policies and terms.