Welcome to the Interactive Cooperative Framework (ICF API) User Guide. The ICF API is an Application Programming Interface which provides Cyber Threat Intelligence (CTI) in Structured Threat Information Expression (STIX) format. This enables organizations to share CTI with one another in a consistent, readable manner.
Starting with the ICF API
Users can access the ICF API by clicking on the “API Management” words on the top left of the Sentinel Portal.
Once users have clicked on the button, they would be brought to the API management webpage.
The API Management page has a Product Usage chart which displays the initial credits, credits left and the next credits renewal date for ICF, CARA, and CATV.
The chart also shows the number of calls made for CATV, CARA and ICF during a specified time period. The options for the time period range from Today/Last 7 Days/Last 15 Days and Last 30 days.
Additionally, users may access the API documents by clicking on the highlighted words “API Docs” next to the “Total calls for ICF” title. Users would be able to see it if they click on the left drop-down list and click “ICF”.
On the API Management page, users can access their API key and its details by scrolling down. Here, users are able to copy their API key and view details like its creation and expiry date, initial API credits and API credits remaining. Additionally, they have the ability to replace their API key with a new one, which is irreversible.
In the API documents, users can find more information about the different API versions. Moreover, users can test the various API functions - from querying the TRDB with different output formats (STIX and CSV), checking the API key information and the current server time.
ICF API V1
The first version of the ICF API provides users with the permission to query crypto addresses in the Sentinel Protocol TRDB (Threat Reputation Database).
Legacy query TRDB
In order to query a crypto address, users must provide their API key (which can be found and copied in the API management webpage earlier), and the wallet address to query. Once both fields have been filled, users may click the ‘Execute’ button to generate the query.
Once the query has been generated, users may view it by simply scrolling down. They also have the option to download it in a JSON format, which can be done by clicking the grey ‘Download’ button.
Additionally, users may view the schema of the query by clicking on the ‘Schema’ word, which can be found under the requests and responses. This is not limited to the legacy TRDB - all queries, including v2 queries, have this feature.
ICF API V2
The second version of ICF API, it is able to provide users with Cyber Threat Intelligence (CTI) in Structured Threat Information Expression (STIX) formats.
Moreover, API 2.0 also allows query search using any available field as parameters (Ex. Crypto Address, URL, File Hash, Twitter Handler) and formats in JSON or CSV output. STIX enables organizations to share CTI with one another in a consistent and readable manner.
ICF API V2.0 Wallet Query (STIX output)
Similar to the Legacy query, users have to provide their API key to execute the query. Users are required to enter both the wallet address and the chain of the wallet they wish to query. Unlike the legacy query, users may enter multiple entries to query multiple wallets.
Once the query has been executed, users may view it by simply scrolling down. Like the Legacy query before, they are able to download it in a JSON format too. The maximum number of wallet addresses users can query is 1000.
ICF API V2.0 TRDB Query (STIX output)
Instead of only being able to search for an indicator via its pattern, other parameters such as security category, pattern type, pattern subtype, annotation, description and more are available. Also, the patterns are no longer limited to crypto wallet addresses, but other forms of malicious threats as well.
Just like the V2 wallet query mentioned above, users could view the results and download it in a similar manner.
ICF API V2.0 TRDB Query (CSV output)
Similar to the TRDB query with STIX output, users have to provide their API key to execute the query and are able to search via various parameters.
However, instead of downloading the results in a JSON format, users are able to download it in a txt format.
ICF API V2.0 Get API Key Info
Users can obtain their API key information by entering the key in the text box. Once the query is executed, a URL would be generated. Users may view their API key information by visiting the URL provided. Alternatively, they can scroll down to see the results, which can be downloaded in a JSON format.
ICF API V2.0 Get Server Time
Lastly, users can get the server time as well. Unlike the other queries, an API key is not required here. Users simply need to click on the “Execute button”. The results can be viewed at the server response and be downloaded in a JSON format.
This is the end of the ICF API User Guide. Please contact us at firstname.lastname@example.org or at our forum if you have any questions about the ICF API.