Data Correlation

Data correlation allows you to combine Defused telemetry with your existing security logs, SIEM events, EDR data, and network telemetry. The most effective way to do this is through the Defused API, available to Defused TF Business accounts.

The API exposes raw event data in JSON form, making it easy to enrich internal detections, validate suspicious IPs, or correlate exploit attempts across your environment.

Programmatic Access via the Defused API

To access the API, you will need an API key, which can be generated from the Account Settings → API Keys section in the Defused console.

The API returns structured JSON describing:

The type of activity observed from an IP
Any associated payloads
Timestamps, decoy types, severity, and other metadata

This allows you to map external attacker behaviour directly to your own internal events (e.g., matching an IP seen attacking a Defused decoy with a corresponding firewall log).

Example: Querying the Defused API with Python

Below is a simple example using requests to pull event data and integrate it into your own tooling:

import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://api.defusedcyber.com/v1/intel"

headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Accept": "application/json"
}

# Example: Fetch events for a specific IP
params = {
    "ip": "203.0.113.42",
    "limit": 100
}

response = requests.get(BASE_URL, headers=headers, params=params)

if response.status_code == 200:
    data = response.json()
    print("Events returned:", len(data.get("events", [])))
    for event in data.get("events", []):
        print(f"- {event['timestamp']} | {event['decoy_type']} | {event['severity']}")
else:
    print("Error:", response.status_code, response.text)

Programmatic Access via the Defused API​

Example: Querying the Defused API with Python​

Programmatic Access via the Defused API

Example: Querying the Defused API with Python