intelowlproject
[Analyzer] Hunting Abuse.ch
Name
Hunting_Abuse_Ch
Link
https://hunting.abuse.ch/api/
Type of analyzer
ip address, domain, url, hash
Why should we use it
central point to query data from all abuse.ch services
Possible implementation
https://hunting.abuse.ch/api/
Hunting_Abuse_Ch is a great addition as it serves as a central point for querying threat intelligence from abuse.ch. Integrating this into IntelOwl will enhance its ability to fetch relevant data on IPs, domains, URLs, and hashes efficiently. I’d be happy to contribute to implementing this analyzer. Let me know if there are any specific guidelines or improvements needed!
I don't think there's anything specific for this analyzer to take care of. If you have some trouble feel free to open a draft PR so we can help you better 😄
This issue has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Okay thank you so much I would love to look into more problems and give my contributions
This issue has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates.
Hey @mlodic, the API mainly lets us fetch the full false positive list — there’s no endpoint to directly check a single observable. Just wanted to confirm if this is the kind of implementation you are expecting, since the docs are pretty limited.
@fgibertoni had a word with the Hunting Abuse Ch team. they currently only allow to get the the false positive list from the api and nothing else. So I don't think we currently need this in IntelOwl. What you say?
On 13.04.25 19:02, Ansh Singhal wrote:
> Thank you for your reply. So this means at the moment we can only get
> the false positive list. Am I right?
>
> On Sun, Apr 13, 2025 at 3:15 PM Roman Huessy <[email protected]
> <mailto:[email protected]>
>
> __
>
> Hello Ansh
>
> We currently only offer the following APIs:
>
> https://hunting.abuse.ch/api/ <https://hunting.abuse.ch/api/
>
> Regards
> - Roman
>
> On 13.04.25 10:07, Ansh Singhal wrote:
>>
>> Dear Abuse.ch Team,
>>
>> I hope this message finds you well.
>>
>> I am currently working on integrating the Hunting API into an
>> open-source threat intelligence analysis platform and have been
>> referring to the information provided on your website. However, I
>> noticed that the available documentation is quite limited — it
>> primarily covers obtaining the false positive list using the
>> |get_fplist| query.
>>
>> I wanted to kindly ask if you could provide more detailed
>> documentation or usage guidelines for the Hunting API.
>> Specifically, I am looking for clarity on:
>>
>> *
>>
>> Whether it's possible to query individual observables (IP
>> addresses, URLs, domains, or hashes) directly.
>>
>> *
>>
>> What other |query| parameters (besides |get_fplist|) are
>> supported.
>>
>> *
>>
>> Any example responses or payload formats beyond the ones
>> currently shown.
>>
>> *
>>
>> If there's any rate limiting or best practices to follow when
>> using the API in production environments.
>>
>> *
>>
>> Whether example scripts or a Swagger/OpenAPI specification are
>> available.
>>
>> More comprehensive documentation would be greatly helpful in
>> making effective and responsible use of your API.
>>
>> Thank you for your time and for the valuable work you do in the
>> cybersecurity community. I look forward to your response.
>>
>> Warm regards,
>> *Ansh Singhal*
>>
Correct
On 13.04.25 19:02, Ansh Singhal wrote:
Thank you for your reply. So this means at the moment we can only get the false positive list. Am I right?
On Sun, Apr 13, 2025 at 3:15 PM Roman Huessy <[email protected] mailto:[[email protected]](mailto:[email protected])> wrote:
__ Hello Ansh We currently only offer the following APIs: https://hunting.abuse.ch/api/ <https://hunting.abuse.ch/api/> Regards - Roman On 13.04.25 10:07, Ansh Singhal wrote:Dear Abuse.ch Team, I hope this message finds you well. I am currently working on integrating the Hunting API into an open-source threat intelligence analysis platform and have been referring to the information provided on your website. However, I noticed that the available documentation is quite limited — it primarily covers obtaining the false positive list using the |get_fplist| query. I wanted to kindly ask if you could provide more detailed documentation or usage guidelines for the Hunting API. Specifically, I am looking for clarity on: * Whether it's possible to query individual observables (IP addresses, URLs, domains, or hashes) directly. * What other |query| parameters (besides |get_fplist|) are supported. * Any example responses or payload formats beyond the ones currently shown. * If there's any rate limiting or best practices to follow when using the API in production environments. * Whether example scripts or a Swagger/OpenAPI specification are available. More comprehensive documentation would be greatly helpful in making effective and responsible use of your API. Thank you for your time and for the valuable work you do in the cybersecurity community. I look forward to your response. Warm regards, *Ansh Singhal*
Thank you for reaching out to them! I think that the false positive list can be a great addition as analyzer anyway. I hope they will add some more APIs in the future.
So, currently the implementation you expect is the user searches for the observable. if its in the false positive list then return true else return false. Is this right?
This issue has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates.