Intel API (Defused TF Feed)

⚠️ Authentication Required

All endpoints described on this page require a valid API key.

Requests without an API key will return:

{ "detail": "Authentication credentials were not provided." }

---

Authentication

Authentication is done via an API key associated with your user account. An API key can be created in Settings.

Header-based authentication

Send the API key in one of the following headers:

X-API-Key: <your_api_key>

or

Authorization: ApiKey <your_api_key>

Only following account types:

• TF_ENT
• Enterprise

are allowed to access this API.

---

Base URL

https://console.defusedcyber.com/api/v2/

All endpoints below are relative to this base.

---

Rate Limits

The API enforces per-API-key rate limits.

Limit type	Value
Burst	10 requests per minute
Daily	50 requests per day

If exceeded, the API returns:

429 Too Many Requests

{
  "detail": "Request was throttled. Expected available in X seconds."
}

---

Date Range Rules (Important)

All alert queries are hard-limited to a maximum lookback of 30 days.

• If you request a from date older than 30 days → it is clamped to 30 days ago.
• If from is omitted → defaults to now − 30 days
• If to is omitted → defaults to now

Dates must be ISO-8601 timestamps:

YYYY-MM-DDTHH:MM:SSZ

Example:

2026-01-14T12:00:00Z

---

Endpoints

List Shared Alerts

GET /shared-alerts/

Returns a paginated list of shared alerts.

Query Parameters

Parameter	Type	Description
from	datetime	Start of date range (ISO-8601)
to	datetime	End of date range (ISO-8601)
severity	string	Exact match on alert_severity
q	string	Case-insensitive search on rawdata and alert_info
sensor_type	string	Filter by honeypot type
relevant	boolean	true / false

Example: curl (basic list)

curl -H "X-API-Key: YOUR_API_KEY" \
  "https://console.defusedcyber.com/api/v2/shared-alerts/"

Example: curl (date range + severity + search)

curl -H "X-API-Key: YOUR_API_KEY" \
  "https://console.defusedcyber.com/api/v2/shared-alerts/?from=2026-01-01T00:00:00Z&severity=high&q=execSync"

Example: Python (requests)

import requests

BASE_URL = "https://console.defusedcyber.com/api/v2"
API_KEY = "YOUR_API_KEY"

headers = {
    "X-API-Key": API_KEY,
}

params = {
    "from": "2026-01-01T00:00:00Z",
    "severity": "high",
    "q": "execSync",
}

resp = requests.get(
    f"{BASE_URL}/shared-alerts/",
    headers=headers,
    params=params,
    timeout=10,
)

resp.raise_for_status()
data = resp.json()

for alert in data.get("results", []):
    print(alert["alert_info"], alert["alert_severity"])

---

Fetch a Single Event

GET /shared-alerts/{uuid}/

Returns the full alert record, including fields that may be omitted from list views.

Example: curl

curl -H "X-API-Key: YOUR_API_KEY" \
  "https://console.defusedcyber.com/api/v2/shared-alerts/8c6e5b6a-1111-2222-3333-444444444444/"

Example: Python

alert_uuid = "8c6e5b6a-1111-2222-3333-444444444444"

resp = requests.get(
    f"{BASE_URL}/shared-alerts/{alert_uuid}/",
    headers=headers,
    timeout=10,
)

resp.raise_for_status()
alert = resp.json()
print(alert)

---

Pagination

Responses are paginated automatically, with a default page size of 50 results per request.

Use the page query parameter to request subsequent pages:

• Page 1: ?page=1 (or omit page)
• Page 2: ?page=2
• Page 3: ?page=3
• …and so on

Example response shape:

{
  "count": 124,
  "next": "/api/v2/shared-alerts/?page=2",
  "previous": null,
  "results": [
    {
      "uuid": "...",
      "alert_severity": "high",
      "alert_datetime": "2026-01-14T10:12:33Z"
    }
  ]
}

How to paginate (recommended)

Treat results as the current page, then follow next until it becomes null.

---

curl examples

Fetch page 1:

curl -H "X-API-Key: YOUR_API_KEY" \
  "https://console.defusedcyber.com/api/v2/shared-alerts/"

Fetch page 2:

curl -H "X-API-Key: YOUR_API_KEY" \
  "https://console.defusedcyber.com/api/v2/shared-alerts/?page=2"

Fetch all pages (bash + jq):

BASE="https://console.defusedcyber.com"
URL="/api/v2/shared-alerts/"
KEY="YOUR_API_KEY"

while [ -n "$URL" ] && [ "$URL" != "null" ]; do
  RESP=$(curl -s -H "X-API-Key: $KEY" "$BASE$URL")
  
  # Process this page's results (example: print uuids)
  echo "$RESP" | jq -r '.results[].uuid'
  
  # Get next page URL (relative path) or null
  URL=$(echo "$RESP" | jq -r '.next')
done

---

Python examples

Fetch one page:

import requests

BASE_URL = "https://console.defusedcyber.com"
API_KEY = "YOUR_API_KEY"

headers = {"X-API-Key": API_KEY}

resp = requests.get(f"{BASE_URL}/api/v2/shared-alerts/", headers=headers, timeout=10)
resp.raise_for_status()

data = resp.json()
alerts = data["results"]

print("Got", len(alerts), "alerts on this page")

Fetch all pages (follow next):

import requests

BASE_URL = "https://console.defusedcyber.com"
API_KEY = "YOUR_API_KEY"

headers = {"X-API-Key": API_KEY}
url = f"{BASE_URL}/api/v2/shared-alerts/"
all_alerts = []

while url:
    resp = requests.get(url, headers=headers, timeout=10)
    resp.raise_for_status()
    
    data = resp.json()
    all_alerts.extend(data.get("results", []))
    
    next_path = data.get("next")  # may be None/null
    if not next_path:
        break
    
    # `next` may be a relative path like "/api/v2/shared-alerts/?page=2"
    if next_path.startswith("http://") or next_path.startswith("https://"):
        url = next_path
    else:
        url = f"{BASE_URL}{next_path}"

print("Total alerts fetched:", len(all_alerts))

---

Notes

• count is the total number of matches across all pages.
• next is either a URL/path to the next page, or null when you're at the end.
• If you apply filters (severity/date/search), the next link preserves them automatically.

Error Responses

Status	Meaning
401	Missing or invalid API key
403	Account type not permitted
404	Alert or resource not found
429	Rate limit exceeded

---

For integration questions or higher limits, contact Defused support.