DiscussionSLA
Sign inSign up

Intelligence API Usage Guide

Published a month ago

# IP Thread Intelligence
# Resources

Published a month ago

profile_photo

co0ontty s

Updated a month ago

1

Create SafePoint Token

Open SafePoint's Work Center in your browser, click Account and then API-Token-Generate to obtain your User Token

image.png

Test Token

Test the Token and verify the availability of the Token application by requesting the User info API from intelligence

1curl -k 'https://intelligence.app.safepoint.cloud/api/v1/user/info' \
2
3-H 'Accept: application/json, text/plain, */*' \
4
5-H 'x-safepoint-api-token: <Your_Safepoint_Token>'

If you see the following response data format, it indicates that the Token and related programs are working properly

1{
2	"message": "",
3	"success": true,
4	"data": {
5		"id": "66**********845",
6		"payment": "Ultimate",
7		"token": "om**********pe",
8		"expired_at": 0
9	}
10}

API List

User Payment Info

Request:

1curl -k 'https://intelligence.app.safepoint.cloud/api/v1/user/info' \
2
3-H 'Accept: application/json, text/plain, */*' \
4
5-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
6

Response:

1{
2	"message": "",
3	"success": true,
4	"data": {
5		// User ID
6		"id": "66**********845",
7		// User Payment
8		"payment": "Ultimate",
9		// User app Token
10		"token": "om**********pe",
11		// Current version expiration time, 0 means permanent
12		"expired_at": 0
13	}
14}

IP Query Data

Request:

1curl -k 'https://intelligence.app.safepoint.cloud/api/v1/ip_info?ip=87.26.82.93' \
2
3-H 'Accept: application/json, text/plain, */*' \
4
5-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
6

Response:

1{
2    "message": "",
3    "success": true,
4    "data": {
5        // IP Address
6        "ip": "103.195.194.250",
7        // IP Threat Level: 0-Unknown 1-Safe 2-Suspicious 3-Malicious
8        "status": 3,
9        // Historical attack behavior statistics for IP
10        "behaviors": {
11            "Backdoor": 3,
12            "Web Attack": 16,
13            "SQL Injection": 5,
14            "XXE Injection": 2,
15            "CRLF Injection": 2,
16            "Code Injection": 16,
17            "Path Traversal": 3,
18            "Command Injection": 4,
19            "Template Injection": 1,
20            "Unauthorized Access": 3,
21            "Upload Malicious File": 2
22        },
23        // IP label list (IDC, residential broadband, etc.)
24        "labels": [],
25        // IP geolocation information
26        "address": {
27            "ip": "103.195.194.250",
28            "country": "China",
29            "province": "Hongkong", 
30            "city": "Hongkong",
31            "isp": "Power Line (HK) Co., Limited",
32            "owner": "Power Line (HK) Co., Limited",
33            "asn": "AS132839",
34            "lng": "114.184921",
35            "lat": "22.350617",
36            "scene": "Hosting",
37            "radius": "40.0088",
38            "timezone": "UTC+8"
39        },
40        // IP activity history records
41        "activities": [
42            {
43                "ip": "103.195.194.250",
44                "date": "2025-05-05",
45                // Daily malicious level
46                "malicious_level": 0
47            },
48            {
49                "ip": "103.195.194.250",
50                "date": "2025-05-06",
51                "malicious_level": 3
52            }
53        ]
54    }
55}

Historical Malicious Behavior Data

Request:

1curl -k 'https://intelligence.app.safepoint.cloud/api/v1/intelligences/list?page=1&per_page=1000&ip=142.93.230.252' \
2
3-H 'Accept: application/json, text/plain, */*' \
4
5-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
6

Response:

1{
2    // Interface response message
3    "message": "",
4    // Whether the request was successful
5    "success": true,
6    "data": {
7        // Total number of records
8        "total": 821,
9        // Historical malicious behavior records list
10        "data": [
11        {
12            // Record unique identifier
13            "id": "01973a2d-fa2c-75b1-b836-80d68d4d6a80",
14            // IP type
15            "type": "IPv4",
16            // Detailed malicious behavior description
17            "comment": "These IPs are constantly performing port scanning on my honeypot \"honeypot_qingdao_2\".\n\nProtocols:     tcp\nAttack times:  738\nPorts:         10000, 10008, 10015, 10023, 10046, 10059, 10082, 101, 1011, 10120, 10175, 10225, 10240-10241, 10247, 10259, 1027, 1028, 1032, 10357, 10628, 1080, 10989, 1099, 10997, 11, 110, 1109, 11112, 11234, 11443, 11551, 1189, 119, 1200, 12000, 12001, 12022, 12088, 12262, 1234, 12346, 12349, 12350, 12351, 12357, 12358, 12360, 12366, 12369, 12607, 12694, 1282, 12852, 1311, 1314, 13228, 13306, 13320, 13322, 1338, 13898, 13975, 14142, 1433, 14443, 1458, 14817, 15042, 1521, 153, 15305, 15443, 15901, 15944, 16041, 16467, 16825, 16966, 16981, 16993, 17102, 1723, 17389, 17554, 17600, 17811, 179, 18050, 18080, 18118, 1828, 18400, 18456, 18574, 18607, 1883, 1909, 19158, 1963, 19895, and more 637 ports\nStarts at:     2025-06-04T08:00:00.000Z\nEnds at:       2025-06-04T09:00:00.000Z",
18            // Detected malicious behavior types
19            "behaviors": [
20                "Port Scanning"
21            ],
22            // Number of IPs included in this intelligence
23            "count": "714",
24            // Record creation timestamp
25            "created_at": 1749027781,
26            // Creator information
27            "creator": {
28                // Creator name
29                "name": "Scanning-honeypot",
30                // Creator avatar
31                "avatar": "https://safepoint.oss-rg-china-mainland.aliyuncs.com/prod/avatar/943f0ad23af80967207b15b55900cbfb.png"
32            }
33        }]
34    }
35}

JA4 Query Data

Request:

1curl -k 'https://intelligence.app.safepoint.cloud/api/v1/ja4?ja4=t13d1516h2_8daaf6152771_02713d6af862' \
2
3-H 'Accept: application/json, text/plain, */*' \
4
5-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
6

Response:

1
2{
3	"message": "",
4	"success": true,
5	"data": {
6		// JA4 fingerprint suffix
7		"ja4_fingerprint": "1d37bd780c83_b26ce05bbdd6",
8		// Detected malicious behaviors
9		"behaviors": {},
10		// Detected non-malicious attributes
11		"labels": [],
12		// JA4 Threat Level: 0-Unknown 1-Safe 2-Suspicious 3-Malicious
13		"status": 3,
14		// JA4 corresponding application list, true for authenticated data, false for non-authenticated data
15		"application": {
16			"Chrome ": true,
17			"Chrome 119.0 ": true,
18			"Chrome 120.0 ": true,
19			"Chrome 121.0 ": true,
20			"Chrome 126.0 Beta ": true,
21			"Chromium Browser": true
22		},
23		// JA4 corresponding underlying application list, true for authenticated data, false for non-authenticated data
24		"library": {
25			"golang": false
26		},
27		// JA4 corresponding hardware device list, true for authenticated data, false for non-authenticated data
28		"device": {
29			"Google Pixel 5": true
30		},
31		// JA4 corresponding operating system list, true for authenticated data, false for non-authenticated data
32		"os": {
33			"android 13 .0": true
34		},
35		// JA4 corresponding User-Agent list, count represents the number of captures
36		"related_uas": {
37			"Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)": 10218,
38			"Mozilla/5.0 Firefox/33.0": 1,
39			"Mozilla/5.0 X11; Ubuntu; Linux x86_64; rv:126.0 Gecko/20100101 Firefox/126.0": 8,
40			"curl/7.88.1": 1,
41			"curl/8.5.0": 7,
42			"webpage-rs - https://crates.io/crates/webpage": 2
43		},
44		// JA4 corresponding IP list
45		"related_ips": {}
46	}
47}
Related Posts
#
Intelligence DB Usage Guade
#
For test
Intelligence API Usage Guide | SafePoint