Search API
The Search API allows to filter data using the ONYPHE Query Language (OQL). You can pass as many search filters as you wish, the syntax is always FILTER:VALUE. More details in the ONYPHE Query Language chapter.
This API will execute searches on datascan category by default and will try to detect which filters you want to use. For instance, if you enter a domain name, the domain filter will be used automatically. Example search google.com will be rewritten domain:google.com under the hood.
Other automatically detected patterns are:
- port numbers
- hostnames
Also, if you give some words or phrases which are not detected as automatic patterns, the fallback will be the data field.
NOTE: If you do not state you want to search historical data, Search API will default to searching in the last 30-days.
LIMIT: the Search API allows to fetch maximum 10,000 results. If you need more, you have to use the Export API available starting from Eagle Views.
Using curl
You can use curl in the following way to call the Search API to retrieve 10 results from page 2:
curl -H 'Content-Type: application/json' -H 'Authorization: bearer YOUR_APIKEY' -XGET 'https://www.onyphe.io/api/v2/search/?q=protocol:rdp+domain:google.com?page=2&size=10'
Output:
{
"count": 100,
"error": 0,
"max_page": 5,
"myip": "<redacted>",
"page": 1,
"page_size": 100,
"results": [
{
"@category": "datascan",
"@timestamp": "2023-02-23T09:06:47.000Z",
[..]
],
"status": "ok",
"text": "Success",
"took": 0.075,
"total": 445
}
Available parameters
- page: the page you want to fetch, default to the first one (page=1). You can iterate up to 10,000 results, meaning 100 pages of 100 results maximum, for example
- size: maximum number of results you want on a given page, default to 100 (size=100). Can be set up to 10,000 results
- trackquery: output a trackquery field reflected which OQL request found the result, default to false (trackquery=false). Can be set to true or false
- calculated: output a calculated field to enrich information. For instance, will output calculated.url.defang & calculated.url.undefang fields to rebuild the complete URL that was scanned when a URL is a result, default to false (calculated=false). Can be set to true or false
Using ONYPHE CLI
onyphe -search OQL
NOTE: If you want automatic page iteration from ONYPHE CLI, you can add the following to ~/.onyphe.ini:
api_size = 100
api_maxpage = 100
Using curl against Unrated API endpoint
If you want to query against the Unrated API endpoint, you have to pass the API key as an HTTP parameter as the Authorization header will be used to store Basic authentication credentials based on your login email address and your API key as a password:
LOGIN=`echo -n YOUR_LOGIN_EMAIL | sed 's/@/_/g'`
PASS=YOUR_APIKEY
BASIC=`echo -n $LOGIN:$PASS | base64 -w 0`
curl -H 'Content-Type: application/json' -H "Authorization: basic $BASIC" -XGET 'https://www.onyphe.io/unrated/api/v2/search/?q=protocol:rdp+domain:google.com&k=YOUR_APIKEY'