Open
Description
Name
Hunting_Abuse_Ch
Link
Type of analyzer
ip address, domain, url, hash
Why should we use it
central point to query data from all abuse.ch services
{{ message }}
Hunting_Abuse_Ch
ip address, domain, url, hash
central point to query data from all abuse.ch services
Activity
ggrayapura7 commentedon Mar 7, 2025
Hunting_Abuse_Ch is a great addition as it serves as a central point for querying threat intelligence from abuse.ch. Integrating this into IntelOwl will enhance its ability to fetch relevant data on IPs, domains, URLs, and hashes efficiently. I’d be happy to contribute to implementing this analyzer. Let me know if there are any specific guidelines or improvements needed!
fgibertoni commentedon Mar 10, 2025
I don't think there's anything specific for this analyzer to take care of. If you have some trouble feel free to open a draft PR so we can help you better 😄
github-actions commentedon Mar 20, 2025
This issue has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates.
ggrayapura7 commentedon Mar 21, 2025
Okay thank you so much I would love to look into more problems and give my contributions
github-actions commentedon Apr 2, 2025
This issue has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates.
AnshSinghal commentedon Apr 13, 2025
Hey @mlodic, the API mainly lets us fetch the full false positive list — there’s no endpoint to directly check a single observable. Just wanted to confirm if this is the kind of implementation you are expecting, since the docs are pretty limited.
AnshSinghal commentedon Apr 14, 2025
@fgibertoni had a word with the Hunting Abuse Ch team. they currently only allow to get the the false positive list from the api and nothing else. So I don't think we currently need this in IntelOwl. What you say?
On 13.04.25 19:02, Ansh Singhal wrote:
> Thank you for your reply. So this means at the moment we can only get
> the false positive list. Am I right?
>
> On Sun, Apr 13, 2025 at 3:15 PM Roman Huessy <roman.huessy@abuse.ch
> <mailto:roman.huessy@abuse.ch>> wrote:
>
> __
>
> Hello Ansh
>
> We currently only offer the following APIs:
>
> https://hunting.abuse.ch/api/ <https://hunting.abuse.ch/api/>
>
> Regards
> - Roman
>
> On 13.04.25 10:07, Ansh Singhal wrote:
>>
>> Dear Abuse.ch Team,
>>
>> I hope this message finds you well.
>>
>> I am currently working on integrating the Hunting API into an
>> open-source threat intelligence analysis platform and have been
>> referring to the information provided on your website. However, I
>> noticed that the available documentation is quite limited — it
>> primarily covers obtaining the false positive list using the
>> |get_fplist| query.
>>
>> I wanted to kindly ask if you could provide more detailed
>> documentation or usage guidelines for the Hunting API.
>> Specifically, I am looking for clarity on:
>>
>> *
>>
>> Whether it's possible to query individual observables (IP
>> addresses, URLs, domains, or hashes) directly.
>>
>> *
>>
>> What other |query| parameters (besides |get_fplist|) are
>> supported.
>>
>> *
>>
>> Any example responses or payload formats beyond the ones
>> currently shown.
>>
>> *
>>
>> If there's any rate limiting or best practices to follow when
>> using the API in production environments.
>>
>> *
>>
>> Whether example scripts or a Swagger/OpenAPI specification are
>> available.
>>
>> More comprehensive documentation would be greatly helpful in
>> making effective and responsible use of your API.
>>
>> Thank you for your time and for the valuable work you do in the
>> cybersecurity community. I look forward to your response.
>>
>> Warm regards,
>> *Ansh Singhal*
>>
Correct
On 13.04.25 19:02, Ansh Singhal wrote:
fgibertoni commentedon Apr 23, 2025
Thank you for reaching out to them!
I think that the false positive list can be a great addition as analyzer anyway. I hope they will add some more APIs in the future.
1 remaining item