Defender API: Features, Functionality, and Usage
The Lumu Defender API uses HTTP requests and returns JSON responses. This documentation outlines the required endpoints, request parameters, sample JSON payloads, and expected response messages.
The Defender API provides a framework for maximizing the value of your existing cybersecurity investments by integrating real-time data on confirmed compromise instances with your current security stack, enabling unified automation of mitigation and remediation efforts. To get started, refer to our comprehensive documentation
The Defender API is language-agnostic and supports both incoming and outgoing data. All API calls are secured with HTTPS (SSL/TLS) and authenticated using API keys.
Access and Authentication
The Defender API requires each client to use a unique API key, referred to in this documentation as
{company-key}. This key is available in the Integrations section of the Lumu Portal and is managed directly by your organization's administrators.
The revocation process generates a new Defender API key. This action cannot be undone and will cause your existing API integrations to stop working until you update your integrations with the new key. This option should be used only in specific scenarios, such as when the current API key is compromised or must be rotated due to security policies.
The ability to integrate Lumu with your security stack via the Defender API is included in the Lumu Defender subscription. This tier enables seamless integration of Lumu’s real-time analysis into your existing security tools, helping you mitigate and remediate compromise incidents quickly and accurately.
Lumu Insights customers have access to the Defender API, though with certain limitations. In this document, resources available to Insights accounts are marked with the tag
[Available for Insights].
You can access the API using various methods, including:
- Applications that support REST calls, such as Postman or Insomnia
- Programming languages or command-line tools, like Python or curl
- Third-party platforms that support REST integration, such as Fortinet, QRadar, or Splunk
Choose the method that best fits your organization’s needs and environment.
Postman Tutorial
Lumu provides a Postman collection, which is a structured set of pre-configured HTTP requests grouped together to test and document an API. Collections can include variables, authentication details, test scripts, and environment settings to streamline development and collaboration. You can use this collection to test the Lumu Defender API.
Resources overview
The following resources are accessible via the Lumu Defender API. These are familiar terms that can be traced to their counterpart in the Lumu Portal.
|
Resource
|
Description
|
administration |
Used to retrieve data on users and labels.
|
incidents |
Used to subscribe to incident updates, retrieve incident data, and manage incident statuses.
|
adversarial-activity |
Used to retrieve all adversarial activity detected across your network perimeter.
|
spambox |
Used to retrieve adversarial activity associated with your organization’s email intelligence.
|
Syntax, pagination and date format
General Syntax
The public host of the Lumu API is: https://defender.lumu.io
All API endpoints are relative to the base URL. For example, since the base URL is URL of
https://defender.lumu.io/api
, the /incidents endpoint would be https://defender.lumu.io/api/incidents
Pagination
Paging results can be controlled using query string parameters. This feature is available for endpoints that return more data than can fit in a single response.
|
Query Params
|
Data Type
|
Description
|
page |
integer (optional)
|
Page number of the result set (default: 1).
|
items |
integer (optional)
|
Limit the number of results per page (default: 50, max: 100)
|
Example of URI that includes paging parameters:
https://defender.lumu.io/api/administration/labels?key={company-key}&items=20&page=3
Paginated queries deliver pagination info at the end of each query, for example:
Example
"paginationInfo": {
"total": 20,
"page": 2,
"items": 2,
"next": 3,
"prev": 1
Note that
"prev" or "next" may not be returned if there is no previous or next page; "total" may appear in some specific services, such as for the administration endpoint.
Date Format
The Defender API uses a standardized date and time format to ensure consistency and interoperability with third-party applications. All date and time values are returned in Coordinated Universal Time (UTC) and follow the formats defined by RFC 3339 and ISO 8601 (YYYY-MM-DDTHH:mm:ss:sssZ). For example,
2021-03-21T18:25:43.000Z
, where the trailing Z indicates that the time zone is UTC (GMT).
You can submit queries to the Defender API using date and time values in your local time zone. However, note that the API will automatically convert all time zone values to UTC.
The following are examples of date and time formats currently accepted by the Defender API:
Example
"2025-02-23T10:15:30.00-05:00[Europe/Paris]"
"2025-02-23T16:15:30.234+01:00[America/Bogota]"
"2025-02-23T16:15:30.234+01:00"
"2025-12-23T16:15:30.235"
"2025-02-23T10:15:30"
All the dates and times provided in the example above will be converted automatically by the Defender API to UTC format. Example:
"2025-02-23T15:15:30.234Z"
When using the
fromDate
and
ToDate parameters in your queries, ensure that the specified date range does not exceed 31 calendar days and is not older than 180 calendar days from the current date.
The following example will return error 400 as it includes a time range greater than 31 days:
Example
{
"fromDate": "2025-02-0923T15:15:30.234Z",
"toDate": "2025-03-23T15:15:30.234Z"
}
Queries that include the
hours parameter are limited to a maximum of 767 hours (approximately 30 days) prior to the current date and time. The following example shows a query where the hours value exceeds this limit, which will result in a 400 Bad Request error.Example
{
"hours": 800,
}
Error Responses
The Lumu API uses standard HTTP features and standard HTTP status codes to indicate errors.
|
HTTP Code
|
Description
|
200 |
OK Everything worked as expected. The expected data was returned. |
400 |
Bad Request Client-side error status. Verify malformed request syntax, invalid request message parameters, etc. |
401 |
Unauthorized The provided API key is not valid. |
403 |
Forbidden Your company does not have sufficient privileges to access the API resource. |
500 |
Internal server error Our application server encountered a problem, try again later and if the problem persist, please let us know. |
Rate Limits
The default rate limits for API calls are 50 requests per minute and 10,000 requests per day.
For queries that return listed results, you can specify the maximum number of items to be returned using the following query string parameter:
|
Query Params
|
Data Type
|
Description
|
max-items |
Integer (optional) |
The maximum number of items to be returned (default: 10, max: 10240).
|
Example:
https://defender.lumu.io/resources/administration/labels?key={company-key}&items=20&page=3&max-items=50
The response examples in this document are not exhaustive and do not cover all possible parameter configurations or operations. They are intended to illustrate the basic structure, formatting, and labeling of the data returned by the API. Actual responses may include additional parameters depending on the context of the request.
Working with Users and Labels
The
/administration endpoints contain information about labels and users of the company. Labels help identify and classify compromise distribution across your infrastructure.
Retrieve labels
[Available for Insights]
Get a paginated list of all the labels created for the company and its details such as id, name and business relevance. The items are sorted by the label id in ascending order.
GET Request
GET Request
GET https://defender.lumu.io/administration/labels?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Example Request
curl --location --request GET 'https://defender.lumu.io/administration/labels?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw ''
Example Response
{
"labels": [
{
"id": 1,
"name": "Sales",
"relevance": 3
},
{
"id": 2,
"name": "Customers",
"relevance": 1
},
],
"paginationInfo": {
"page": 2,
"items": 2,
"next": 3,
"prev": 1
}
}
Additional response definitions
|
Parameter
|
Description
|
relevance |
Business relevance. Companies define label relevance according to their business reality for faster data-supported decisions. The possible values are 1 (low), 2 (medium) and 3 (high).
|
Retrieve a specific label
[Available for Insights]
Get details such as id, name and business relevance from a specific label.
GET Request
GET Request
GET https://defender.lumu.io/api/administration/labels/{label-id}?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Example Request
curl --location --request GET 'https://defender.lumu.io/administration/labels/1?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3' \ --data-raw ''
Example Response
{
"id": 1,
"name": "Sales",
"relevance": 3
}
Retrieve users
[Available for Insights]
Get a paginated list of all the users registered in the company and their details. The items are sorted by the user id in ascending order.
GET Request
GET Request
GET https://defender.lumu.io/administration/users?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Example Request
curl --location --request GET 'https://defender.lumu.io/api/administration/users?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items50' \ --data-raw ''
Example Response
{
"users": [
{
"id": 1,
"role": "admin",
"email": "john@company.com",
"name": "John Doe",
"time_zone": "Etc/UTC",
"deactivated": false
},
{
"id": 2,
"role": "admin",
"email": "sara@company.com",
"name": "Sara Green",
"time_zone": "Etc/UTC",
"deactivated": true
}
],
"paginationInfo": {
"page": 2,
"items": 2,
"next": 3,
"prev": 1
}
}
Additional response definitions
|
Parameter
|
Description
|
deactivated |
User account status. The two possible values are false(user is active) and true(user is deactivated). A deactivated account cannot login in to the Lumu Portal.
|
Retrieve a specific user
[Available for Insights]
Get specific user details such as id, name, and role.
GET Request
GET Request
GET https://defender.lumu.io/api/administration/users/{user-id}?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Example Request
curl --location --request GET 'https://defender.lumu.io/api/administration/users/2?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3' \ --data-raw '''
Example Response
{
"id": 2,
"role": "admin",
"email": "sara@company.com",
"name": "Sara Green",
"time_zone": "Etc/UTC",
"deactivated": false
}
Working with Incidents
The
/incidents
endpoints contain information about incidents of the company. Lumu groups all occurrences of contacts to malicious infrastructure by an adversary and presents them consolidated in the form of incidents.
To get started with Incidents, consult
our documentation.
General considerations
Incident statuses and types may vary over time. Therefore, any implementation using endpoints that accept these as query parameters should account for possible changes.
The following are the current values for these parameters:
-
status:
"open", "muted", "closed".
-
incident-types:
"C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
User identification considerations
To associate a specific user with POST API actions (such as mark as read, mute, unmute, and close), include the
Lumu-User-Id
header in the request, using the user's ID as its value.
Example:
Lumu-User-Id:2. This parameter is optional. If it is not included, the action will not be associated with any specific user. For example, if the query header includes the ID 2, which corresponds to the user "Integration user", the incident log will appear as shown in the following image.
Retrieve Incidents
Retrieves a paginated list of incidents for the company, ordered by most recent first.
POST Request
POST Request
POST https://defender.lumu.io/api/incidents/all?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body parameters
|
Name
|
Data Type
|
Description
|
fromDate |
date-time (optional)
|
Search start date. The default value is 7 days before the current date. Example: "2021-04-01T14:40:14.939Z"
|
toDate |
date-time (optional)
|
Search end date. The default value is the current date. Example: "2021-04-07T14:40:14.939Z"
|
status |
array (optional)
|
Incident status. If not specified, all objects are returned. Example: "open", "muted", "closed"
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3, 5
|
Example Request
curl --location --request POST 'https://defender.lumu.io/api/incidents/all?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw '{ "fromDate": "2021-03-23T16:15:30.00-05:00[Europe/Paris]", "toDate": "2021-04-15T16:15:30.234+01:00[Europe/Paris]", "status": ["open"], "adversary-types": ["C2C"], "labels": [0, 815] }'
Example Response
{
"items": [
{
"id": "2a4862b0-97af-11eb-aa46-b5c18d44caca",
"timestamp": "2021-04-07T14:40:14.939Z",
"statusTimestamp": "2021-04-07T14:40:14.939Z",
"status": "open",
"contacts": 1,
"adversaries": [
"example1.com"
],
"adversaryTypes": [
"C2C"
],
"labelDistribution": {
"17": 1
},
"totalEndpoints": 1,
"lastContact": "2021-04-04T14:37:02.228Z",
"unread": true
}
],
"paginationInfo": {
"page": 1,
"items": 50,
}
}
Retrieve a specific Incident's details
[Available for Insights]
Retrieves detailed information about a specific incident. The response may include additional parameters—such as DNSPacketExtraInfo—depending on the data collection source.
GET Request
GET Request
GET https://defender.lumu.io/incidents/{incident-uuid}/details?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Example Request
--location --request GET 'https://defender.lumu.io/api/incidents/4d90fc30-a6de-11eb-8239-a117f0a9f6f5/details?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3' \ --data-raw ''
Example Response (200 - Success)
{
"id": "4d90fc30-a6de-11eb-8239-a117f0a9f6f5",
"timestamp": "2021-04-26T22:25:27.923Z",
"isUnread": false,
"contacts": 114,
"adversaryId": "Malware family qakbot",
"adversaries": [
"malicious.net",
"suspicious.biz",
"example.com"
],
"adversaryTypes": [
"DGA"
],
"description": "Malware family qakbot",
"labelDistribution": {
"144": 114
},
"totalEndpoints": 1,
"lastContact": "2021-04-26T22:39:16.131Z",
"actions": [
{
"datetime": "2021-04-27T15:13:56.939Z",
"userId": 0,
"action": "close",
"comment": "Incident close from external API"
},
{
"datetime": "2021-04-26T22:42:32.532Z",
"userId": 1,
"action": "read",
"comment": ""
}
],
"status": "closed",
"statusTimestamp": "2021-04-27T15:13:56.939Z",
"firstContactDetails": {
"uuid": "09e02310-de1b-11ec-b481-eb776e1a9b92",
"datetime": "2022-05-28T00:13:45.281Z",
"host": "111example.com",
"types": [
"Phishing"
],
"details": [
"Malware family Pony"
],
"endpointIp": "255.111.22.000",
"endpointName": "USER.USER-PC",
"label": 346,
"sourceType": "virtual_appliance",
"sourceId": "55719C03-b31t-4d5e-8e1e-9f2b7d651c45",
"sourceData": {
"DNSPacketExtraInfo": {
"question": {
"type": "A",
"name": "111example.com",
"class": "IN"
},
"responseCode": "NOERROR",
"flags": {
"authoritative": false,
"recursion_available": true,
"truncated_response": false,
"checking_disabled": false,
"recursion_desired": true,
"authentic_data": false
},
"answers": [
{
"name": "111example.com",
"type": "A",
"class": "IN",
"ttl": 2549,
"data": "51.225.156.155"
}
],
"opCode": "QUERY"
}
},
"isPlayback": false
},
"lastContactDetails": {
"uuid": "a53c04a0-de1b-11ec-8d45-eb776e3f5271",
"datetime": "2022-05-28T00:18:05.930Z",
"host": "111example.com",
"types": [
"Phishing"
],
"details": [
"Malware family Pony"
],
"endpointIp": "119.129.000.11",
"endpointName": "USER.USER-PC",
"label": 346,
"sourceType": "virtual_appliance",
"sourceId": "55719C03-b31t-4d5e-8e1e-9f2b7d651c45",
"sourceData": {
"DNSPacketExtraInfo": {
"question": {
"type": "A",
"name": "111example.com",
"class": "IN"
},
"responseCode": "NOERROR",
"flags": {
"authoritative": false,
"recursion_available": true,
"truncated_response": false,
"checking_disabled": false,
"recursion_desired": true,
"authentic_data": false
},
"answers": [
{
"name": "111example.com",
"type": "A",
"class": "IN",
"ttl": 2549,
"data": "250.4.148.28"
}
],
"opCode": "QUERY"
}
},
"isPlayback": false
}
Retrieve a specific Incident's context
Retrieves contextual information related to a specific incident.
GET Request
GET Request
GET https://defender.lumu.io/api/incidents/{incident-uuid}/context?key={company-key}&hash={hash-type}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
hash-type |
Message-digest algorithm (Cryptographic Hash Function) you are requesting, can correspond to SHA256, SHA1 or MD5. If a hash type isn't requested, this will return a SHA256 hash by default. This parameter isn't case sensitive.
|
Example Request
curl --location --request GET 'https://defender.lumu.io/api/incidents/4d90fc30-a6de-11eb-8239-a117f0a9f6f5/context?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&hash=sha1'
Example Response (200 - Success)
{
"adversary_id": "domain-example.net",
"currently_active": false,
"deactivated_on": "2021-09-04T14:32:23.325Z",
"mitre": {
"details": [
{
"tactic": "discovery",
"techniques": ["T1083", "T1069.002", "T1082"]
},
{
"tactic": "initial-access",
"techniques": ["T1189", "T1566.001"]
}
],
"matrix": "enterprise",
"version": "9.0"
},
"related_files": [
"c7267981748605fd27af739ef32d4688dc1dc160",
"0668db6c06fe1bf8726487cd346f5dea7a20caf7",
"4adb5eeb53dae0a580f4ec55a9add1a0696f4e93",
"c38e3a08046938c0d9017c5d09e460b3d0046563",
"8ae2e0bbb7174320379d720ca35421d3d96843ff",
"c5515101ec506e963cc6fd4d2fc488300c4b4053",
"79d78a1de39c09977d7d2b8bb09d78cfd7621804",
"981ea159a18d468aded419ddace8403efa53e1a6",
"c08b0daa01a2a3f5ce42d1f4838ca5ecd0e6b64c",
"c7ea27eb33916cc63243354bd6bee988f2a16d09",
"46b37255f22cb75c5031153d1639794c4ea53da4",
"e89a0a90d44b186c129a9dfac85b2a6cb5686c94",
"253738ee1fdff2131cc9917088d277dae983859a",
"b61ac17c70aed3ad70d768d92dd39771e3eb9c59"
],
"threat_details": [
"Sodinokibi Ransomware related"
],
"threat_triggers": ["http://domain-example.net/"],
"playbooks": ["https://docs.lumu.io/portal/en/kb/articles/malware-incident-response-playbook"],
"external_resources": [
"https://www.virustotal.com/gui/domain/domain-example.net/relations",
"https://urlhaus.abuse.ch/host/domain-example.net/",
"https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom",
"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
],
"timestamp": "2021-11-03T18:30:01.782Z"
}
Comment a specific incident
[Available for Insights]
Add a comment to a specific incident. This operation does not return a response.
POST Request
POST Request
POST https://defender.lumu.io/api/incidents/{incident-uuid}/comment?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Body parameters:
|
Name
|
Data Type
|
Description
|
comment |
string
|
comment to be added to the incident
|
Example Request
curl --location --request POST 'https://defender.lumu.io/api/incidents/eec41860-e69f-11ec-b7a5-9ded001a2220/comment?key=MbEoJwFYiPmMUDi8k1CaIIo3EDeFwWox' \
--header 'Content-Type: application/json' \
--data-raw '{
"comment": "comment"
}'
Retrieve open incidents
[Available for Insights]
Retrieves a paginated list of open incidents for the company, ordered by most recent first.
POST Request
POST Request
POST https://defender.lumu.io/incidents/open?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal. |
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
| Name |
Data Type
|
Description
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,
|
Example Request
curl --location --request POST 'https://defender.lumu.io/api/incidents/open?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw '{ "adversary-types": [], "labels": [] }'
Example Response (200 - Success)
{
"items": [
{
"id": "d53f69d0-9948-11eb-9b30-bd475fa20b50",
"timestamp": "2021-04-09T15:32:45.933Z",
"statusTimestamp": "2021-04-13T15:15:57.591Z",
"status": "open",
"contacts": 4,
"adversaries": [
"malicious.com",
"suspicious.com"
],
"adversaryId": "Malware family Banjori",
"adversaryTypes": [
"DGA"
],
"description": "Malware family Banjori",
"labelDistribution": {
"37": 2,
"39": 1,
"179": 1
},
"totalEndpoints": 3,
"lastContact": "2021-04-08T15:25:02.228Z",
"unread": false
}
],
"paginationInfo": {
"page": 1,
"items": 50
}
}
Retrieve muted incidents
[Available for Insights]
Retrieves a paginated list of muted incidents for the company, ordered by most recent first.
POST Request
POST Request
POST https://defender.lumu.io/incidents/muted?key={company-key}
|
Query Params
|
Description
|
key |
Your company unique API key available at the Lumu Portal.
|
pages |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,
|
Mute incident
[Available for Insights]
Silence notifications for a specific incident.
POST Request
POST Request
POST https://defender.lumu.io/api/incidents/{incident-uuid}/mute?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Body Parameters
|
Name
|
Data Type
|
Description
|
comment |
string (optional)
|
Comment to be added in the Incident log. Example: "Internal penetration tests"
|
Example Request
curl --location --request POST 'https://defender.lumu.io/incidents/d3f41000-af3f-11eb-84b5-75a575634188/mute?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3' \ --data-raw '{ "comment": "" }'
Unmute incident [Available for Insights]
Enable notifications for a specific incident.
POST request
POST request
POST https://defender.lumu.io/api/incidents/{incident-uuid}/unmute?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Body Parameters
|
Name
|
Data Type
|
Description
|
comment |
string (optional)
|
Comment to be added in the Incident log. Example: "Internal penetration tests"
|
Close incident
[Available for Insights]
Close a specific incident.
POST Request
POST Request
POST https://defender.lumu.io/api/incidents/{incident-uuid}/close?key={company-key}
|
Query Params
|
Description
|
key |
Your company's unique API key, available in the Lumu Portal.
|
Body Parameters
|
Name
|
Data Type
|
Description
|
comment |
string (optional)
|
Comment to be added in the Incident log. Example: "Internal penetration tests"
|
Example Request
curl --location --request POST 'https://defender.lumu.io/api/incidents/d3f41000-af3f-11eb-84b5-75a575634188/close?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3' \ --data-raw '{ "comment": "" }'
Subscribe to Incidents (Websocket)
Lumu provides a streaming endpoint to subscribe to real-time updates on activity notifications. Establishing a connection to the streaming API means making a very long-lived HTTP request, and parsing the response incrementally.
The following endpoint can be used to stream notifications to any client that implements WebSockets.
wss://defender.lumu.io/api/incidents/subscribe?key={company-key}
The date format in the notifications received by a WebSocket client from the Defender API is in the UTC time zone and follows standards published in RFC 3339 and ISO 8601.
See the following examples of notification logs received by a WebSocket client from the Defender API:
New Incident
The stream notification log for a new incident detection will be similar to the following:
Example
{
"NewIncidentCreated": {
"companyId": "89068290-4388-4b4d-b638-b5y83a730a51",
"incident": {
"id": "3ccf3e50-a771-61eb-95ec-ab811662da34",
"timestamp": "2021-04-27T15:57:15.829Z",
"statusTimestamp": "2021-04-27T15:57:15.829Z",
"status": "open",
"contacts": 1,
"adversaries": ["example.com"],
"adversaryId": "example.com",
"adversaryTypes": ["Phishing"],
"description": "Phishing domain",
"labelDistribution": {
"37": 1
},
"totalEndpoints": 1,
"lastContact": "2021-04-12T15:25:02.228Z",
"unread": true
},
"openIncidentsStats": {
"openIncidents": 2,
"totalContacts": 4,
"typeDistribution": {
"Phishing": 2
},
"labelDistribution": {
"179": 1,
"37": 2
},
"totalEndpoints": 2
}
}
}
Incident Read
In the following log, we have an example of an incident that was marked as read:
Example
{
"IncidentMarkedAsRead": {
"companyId": "c5437753-03e1-4792-aec6-b72604f87668",
"incidentId": "be2a5ea0-989c-11eb-8093-c5b4c3cefe69"
}
}
Incident Closed
In the following log, we have an example of an incident that was marked as closed:
Example
{
"IncidentClosed": {
"companyId": "c5437753-03e1-4792-aec6-b72604f87668",
"incident": {
"id": "17615ed0-97c9-11eb-b4f0-e13747f3cc1f",
"timestamp": "2021-04-07T17:45:50.141Z",
"statusTimestamp": "2021-04-07T17:47:07.906Z",
"status": "closed",
"contacts": 1,
"adversaries": [
"fraud.it"
],
"adversaryId": "fraud.it",
"adversaryTypes": [
"Phishing"
],
"labelDistribution": {
"25": 1
},
"totalEndpoints": 1,
"lastContact": "2021-04-07T10:37:02.228Z",
"unread": false
},
"comment": "This case is now solved"
}
}
Incident Muted
In the following log, we have an example of an incident that was marked as muted:
Example
{
"IncidentMuted": {
"companyId": "c5437753-03e1-4792-aec6-b72604f87668",
"incident": {
"id": "547773a0-97c8-11eb-b4f0-e13747f3cc1f",
"timestamp": "2021-04-07T17:40:23.130Z",
"statusTimestamp": "2021-04-07T17:42:23.100Z",
"status": "muted",
"contacts": 1,
"adversaries": [
"phishing.ru"
],
"adversaryId": "phishing.ru",
"adversaryTypes": [
"Mining"
],
"labelDistribution": {
"25": 1
},
"totalEndpoints": 1,
"lastContact": "2021-04-07T10:37:02.228Z",
"unread": false
},
"comment": "This was an internal test"
"reason": "irrelevant"
}
}
Incident Unmuted
In the following log, we have an example of an incident that was marked as unmuted:
Example
{
"IncidentUnmuted": {
"companyId": "c5437753-03e1-4792-aec6-b72604f87668",
"incident": {
"id": "547773a0-97c8-11eb-b4f0-e13747f3cc1f",
"timestamp": "2021-04-07T17:40:23.130Z",
"statusTimestamp": "2021-04-07T17:44:50.861Z",
"status": "open",
"contacts": 3,
"adversaries": [
"examlple.ru"
],
"adversaryId": "example.ru",
"adversaryTypes": [
"Mining"
],
"labelDistribution": {
"25": 3
},
"totalEndpoints": 1,
"lastContact": "2021-04-07T10:37:02.228Z",
"unread": false
},
"comment": "The incident is now relevant"
}
}
Incident Updated
An incident is updated whenever new contact with an Indicator of Compromise (IoC) is detected. The following log shows an example of an updated incident:
Example
{
"IncidentUpdated": {
"companyId": "89068290-4388-4b4d-b638-b9b93a730a51",
"incident": {
"id": "3ccf3e50-a771-11eb-95ec-ab811662da34",
"timestamp": "2021-04-27T15:57:15.829Z",
"statusTimestamp": "2021-04-27T15:57:15.829Z",
"status": "open",
"contacts": 2,
"adversaries": ["example.com"],
"adversaryId": "example.com",
"adversaryTypes": ["Phishing"],
"description": "Phishing domain",
"labelDistribution": {
"37": 2
},
"totalEndpoints": 1,
"lastContact": "2021-04-12T15:25:02.228Z",
"unread": true
},
"openIncidentsStats": {
"openIncidents": 2,
"totalContacts": 5,
"typeDistribution": {
"Phishing": 2
},
"labelDistribution": {
"179": 1,
"37": 2
},
"totalEndpoints": 2
}
}
}
Working with Adversarial Activity
The
/adversarial-activity
endpoints contain detailed compromise activity detected on your network, categorized according to threat type.
For GET endpoint queries, default values are applied to all parameters if none are specified.
Retrieve contacted adversaries
Get a paginated summary of the adversaries contacted by endpoints within a time-frame
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/contacted-adversaries?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/contacted-adversaries?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
fromDate |
date-time (optional)
|
Search start date. The default value is 7 days before the current date. Example: "2021-04-01T14:40:14.939Z"
|
toDate |
date-time (optional)
|
Search end date. The default value is the current date. Example: "2021-04-07T14:40:14.939Z"
|
endpoints |
array (optional)
|
List of ID of contacting endpoints. If not specified, all objects are returned. Example: "182.168.100.29", “DESK-9867”
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --header 'Content-Type: application/json' \ --data-raw '{ "fromDate": "2021-02-23T16:15:30.00-05:00[Europe/Paris]", "toDate": "2021-03-15T16:15:30.234+01:00[Europe/Paris]", "adversary-types": [], "endpoints": [], "labels": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw ''
Example Response (200 - Success)
{
"items": [
{
"host": "example.xyz",
"adversary-types": [
"Spam"
],
"descriptions": [
"Spam related"
],
"contacts": 1,
"last-contact": {
"time": "2020-06-06T11:05:11.964Z",
"endpoint": "Gateway company 1",
"label": 37
}
}
],
"timestamp": "2021-03-15T15:15:30.234Z",
"pagination": {
"page": 1,
"items": 50
}
}
Retrieve last contacted adversaries
Retrieves a paginated list of details about adversarial hosts contacted within the specified number of past hours.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
max-items |
(only for GET) Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
endpoints |
array (optional)
|
List of ID of contacting endpoints. If not specified, all objects are returned. Example: "182.168.100.29", “DESK-9867”
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --header 'Content-Type: application/json' \ --data-raw '{ "hours": 200, "adversary-types": [], "labels": [], "endpoints": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&max-items=1&hours=1' \ --data-raw ''
Example Response (200 - Success)
{
"items": [
{
"host": "example.com",
"adversary-types": [
"Phishing"
],
"descriptions": [
"Phishing domain"
],
"contacts": 15,
"last-contact": {
"time": "2021-04-12T15:25:02.228Z",
"endpoint": "Gateway 1",
"label": 37
}
}
],
"timestamp": "2021-03-15T15:15:30.234Z",
"pagination": {
"page": 1,
"items": 50
}
}
Retrieve last contacted adversaries list
Get a list of adversarial hosts contacted within a number of past hours in plain text format.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last/list?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last/list?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
endpoints |
array (optional)
|
List of ID of contacting endpoints. If not specified, all objects are returned. Example: "182.168.100.29", “DESK-9867”
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last/list?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&max-items=10' \ --data-raw '{ "hours": 200, "adversary-types": [], "endpoints": [], "labels": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/last/list?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&max-items=10&hours=1' \ --data-raw ''
Example Response (200 - Success)
126.25.36.2 fraud.ro phishing.com fake-site.com 95.26.34.5
Retrieve affected endpoints
Get a paginated summary of the incidents across endpoints within a time-frame.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/affected-endpoints?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/affected-endpoints?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
fromDate |
date-time (optional)
|
Search start date. The default value is 7 days before the current date. Example: "2021-04-01T14:40:14.939Z"
|
toDate |
date-time (optional)
|
Search end date. The default value is the current date. Example: "2021-04-07T14:40:14.939Z"
|
adversaries |
array (optional)
|
List of ID of contacting endpoints. If not specified, all objects are returned. Example: "182.168.100.29", “DESK-9867”
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/adversarial-activity/affected-endpoints?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw '{ "fromDate": "2021-02-23T16:15:30.00-05:00[Europe/Paris]", "toDate": "2021-03-15T16:15:30.234+01:00[Europe/Paris]", "adversary-types": [], "adversaries": [], "labels": [] }'
GET Reuqest Example
curl --location --request GET 'https://defender.lumu.io/api/adversarial-activity/affected-endpoints?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw ''
Example Response (200 - Success)
{
"items": [
{
"label": 38,
"endpoint": "192.168.0.103",
"last-ip": "192.168.0.103",
"total-activity": 6,
"adversarial-contacts": {
"last-time": "2020-12-01T17:36:02.228Z",
"last-host": "example.xyz",
"count": 6,
"distribution": {
"C2C": 5,
"Mining": 1
}
}
}
],
"timestamp": "2021-03-15T15:15:30.234Z",
"pagination": {
"page": 1,
"items": 50
}
}
The total number of incidents ("count") does not necessarily have to match the sum of the incident types, as the same incident can be classified in different categories. In case an endpoint was contacted by more than two adversaries, only the most recent adversary will be retrieved.
Retrieve last affected endpoints
Get a paginated list of endpoints and adversarial contacts within a number of past hours.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/affected-endpoints/last?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/affected-endpoints/last?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
The maximum number of items that will be returned (default: 10, max: 10240)
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
endpoints |
array (optional)
|
List of ID of contacting endpoints. If not specified, all objects are returned. Example: "182.168.100.29", “DESK-9867”
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/adversarial-activity/affected-endpoints/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --header 'Content-Type: application/json' \ --data-raw '{ "hours": 700, "adversary-types": [], "adversaries": [], "labels": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/adversarial-activity/affected-endpoints/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50&hours=1' \ --data-raw ''
Example Response (200 - Success)
{
"items": [
{
"label": 37,
"endpoint": "Gateway 1",
"last-ip": "192.168.3.11",
"total-activity": 15,
"adversarial-contacts": {
"last-time": "2021-04-12T15:25:02.228Z",
"last-host": "example.com",
"count": 15,
"distribution": {
"Phishing": 15
}
}
}
],
"timestamp": "2021-04-26T17:55:43.929612Z",
"pagination": {
"page": 1,
"items": 50
}
}
Retrieve last affected endpoints list
Get a list of endpoints with adversarial contacts within a number of hours in plain text format.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/affected-endpoints/last/list?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/affected-endpoints/last/list?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
max-items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
adversaries |
array (optional)
|
List of adversarial hosts. If not specified, all objects are returned. Example: "phishing-site.domain".
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
endpoint-identification-type |
string (optional)
|
Type of endpoint identification. Possible values: "IP" (IP address), "ID" (case-sensitive endpoint ID) - The default value is "ID".
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
Retrieve contacted adversaries related to Lumu Email Intelligence (Spambox endpoint)
Get a paginated summary of the adversaries related to Lumu Email Intelligence that were contacted by endpoints.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
fromDate |
date-time (optional)
|
Search start date. The default value is 7 days before the current date. Example: "2021-04-01T14:40:14.939Z"
|
toDate |
date-time (optional)
|
Search end date. The default value is the current date. Example: "2021-04-07T14:40:14.939Z"
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
Retrieve last contacted adversaries related to Lumu Email Intelligence (Spambox endpoint)
Get a detailed list of adversarial hosts contacted, related to Lumu Email Intelligence, within a number of past hours.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox/last?key={company-key}
GET Request
GET https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox/last?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
date-time (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
labels |
array (optional)
|
Label IDs — You can use the Labels API call beforehand to retrieve available label IDs and their corresponding names. If not specified, all objects are returned. Example: 2, 3,5
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw '{ "hours": 200, "labels": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50&hours=1' \ --data-raw ''
Example Response (200 - Success)
{
"items": [
{
"host": "suspicious.com",
"adversary-types": [
"C2C"
],
"descriptions": [
"Malware family ZeuS"
],
"contacts": 3,
"last-contact": {
"time": "2021-04-26T22:37:59.148Z",
"endpoint": "New GW",
"label": 144
}
}
],
"timestamp": "2021-04-28T18:05:06.517940Z",
"pagination": {
"page": 1,
"items": 1,
"next": 2
}
}
Retrieve last contacted adversaries list related to Lumu Email Intelligence (Spambox endpoint)
Get a list of adversarial hosts contacted within a number of past hours in plain text format.
POST Request
GET request
POST Request
POST https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox/last/list?key={company-key}
GET request
GET https://defender.lumu.io/api/adversarial-activity/contacted-adversaries/spambox/last/list?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
max-items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
Working with Lumu Email Intelligence (Spambox Endpoint)
The /spambox endpoints contain detailed compromise activity detected to adversaries related to Lumu Email Intelligence, categorized according to threat type, regardless of being contacted or not. For the GET endpoint queries., the default values are used for all parameters. To get started with Lumu Email Intelligence, consult
our documentation.
Retrieve adversaries related to Lumu Email Intelligence
Get a paginated summary of the adversaries related to Lumu Email Intelligence.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/spambox/adversaries?key={company-key}
GET Request
GET https://defender.lumu.io/api/spambox/adversaries?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
fromDate |
date-time (optional)
|
Search start date. The default value is 7 days before the current date. Example: "2021-04-01T14:40:14.939Z"
|
toDate |
date-time (optional)
|
Search end date. The default value is the current date. Example: "2021-04-07T14:40:14.939Z"
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/spambox/adversaries?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw '{ "fromDate": "2021-04-01T00:00:00.00-05:00[America/Bogota]", "toDate": "2021-04-28T14:50:59.99-05:00[America/Bogota]", "adversary-types": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/spambox/adversaries?key=&page=1&items=50' \ --data-raw ''
Example Response (200 - Success)
{ "adversaries": [ { "indicator": "http://mining.com" "info": [ { "type": "Mining", "description": "CryptoMining domain" } ] } ], "timestamp": "2021-04-29T15:29:48.177Z", "paginationInfo": { "page": 1, "items": 1, "next": 2 } }
Retrieve latest adversaries related to Lumu Email Intelligence
Get a detailed list of adversarial hosts related to Lumu Email Intelligence, within a number of past hours.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/spambox/adversaries/last?key={company-key}
GET Request
GET https://defender.lumu.io/api/spambox/adversaries/last?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
page |
Page number of the result set (default: 1)
|
items |
Limit the number of results per page (default: 50, max: 100)
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
adversary-types |
array (optional)
|
Adversary types. If not specified, all objects are returned. Examples: "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/spambox/adversaries/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50' \ --data-raw '{ "hours": 200, "adversary-types": [] }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/spambox/adversaries/last?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&page=1&items=50&hours=1' \ --data-raw ''
Example Response (200 - Success)
{
"adversaries": [
{
"indicator": "http:<span>//</span>mining<span>.</span>com",
"info": [
{
"type": "Mining",
"description": "CryptoMining domain"
}
]
}
],
"paginationInfo": {
"page": 1,
"items": 1,
"next": 2
}
}
Retrieve latest adversary list related to Lumu Email Intelligence
Get a list of adversarial hosts contacted within a number of past hours in plain text format.
POST Request
GET Request
POST Request
POST https://defender.lumu.io/api/spambox/adversaries/last/list?key={company-key}
GET Request
GET https://defender.lumu.io/api/spambox/adversaries/last/list?key={company-key}
| Query Params |
Description
|
key |
Your company's unique API key, available in the Lumu Portal
|
hours |
(only for GET) The number of past hours you want to narrow your results to (default: 1)
|
max-items |
Limit the number of results per page (default: 50, max: 100)
|
Body Parameters
|
Name
|
Data Type
|
Description
|
hours |
integer (optional)
|
The number of past hours you want to narrow your results to. The default value 1.
|
POST Request Example
curl --location --request POST 'https://defender.lumu.io/api/spambox/adversaries/last/list?key=56a0fc30-a6de-85eb-8249-a117f0a9f8g3&max-items=50' \ --data-raw '{ "hours": 200 }'
GET Request Example
curl --location --request GET 'https://defender.lumu.io/api/spambox/adversaries/last/list?key=&max-items=50&hours=1' \ --data-raw ''
Example Response (200 - Success)
http://fraud.ro/
http://phishing.com/
http://fake-site.com/
Related Articles
Custom Integrations - Lumu Defender API
For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. The Lumu Defender API offers a framework to help you leverage the value of existing investments by integrating Lumu’s real-time information on ...ESET PROTECT Cloud Custom Response Integration
Learn how to use the Lumu Defender API and ESET PROTECT Cloud, together with the ESET Connect API, to effectively mitigate security risks. Response integration between ESET PROTECT Cloud and Lumu Requirements ESET PROTECT Cloud You need an ESET ...Bitdefender Custom Response Integration
Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...Symantec Endpoint Protection Custom Response Integration
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...Guardicore Custom Response Integration
This article shows how to leverage the Lumu Defender API and Guardicore API to mitigate security risks. Response integration between Guardcore and Lumu Requirements An active Guardicore Centra subscription A Guardicore administrator user. Lumu ...