AlienVault APIalienvault.com ↗
Access AlienVault OTX threat intelligence via API: search pulses, retrieve IOCs, look up adversary profiles, and query indicator reputation for IPs, domains, and CVEs.
What is the AlienVault API?
The AlienVault OTX API exposes 7 endpoints covering threat pulses, indicators of compromise, and adversary profiles from the Open Threat Exchange community. Use get_indicator_details to query reputation scores and associated pulses for IPv4 addresses, domains, file hashes, and CVEs, or use search_pulses to find relevant threat intelligence by keyword across the full OTX pulse library.
curl -X GET 'https://api.parse.bot/scraper/9d8a168a-f773-44d8-8ecb-0d09fbcbcd89/search_pulses?page=1&sort=-modified&limit=5&query=ransomware' \ -H 'X-API-Key: $PARSE_API_KEY'
Typed, relational, agent-ready
A generated client with real types, enums, and the links between objects — the structure a flat JSON response can't carry. Autocompletes in your editor and reads cleanly to coding agents.
- Fully typed · autocompletes
- Objects link to objects
- Typed errors & pagination
Typed Python client. Set up the SDK in your uv project, then pull this API’s typed client:
uv add parse-sdk uv run parse init uv run parse add --marketplace alienvault-com-api
uv run parse add --marketplace pulls a pinned snapshot of this canonical API — it won’t change underneath you. To customize it, subscribe and swap to your own copy.
from parse_apis.alienvault_open_threat_exchange_otx_api import OTX, PulseSort, IndicatorType, IndicatorSection, AdversarySort
otx = OTX()
# Search for recent ransomware-related threat pulses
for pulse in otx.pulses.search(query="ransomware", sort=PulseSort.NEWEST, limit=5):
print(pulse.name, pulse.indicator_count, pulse.modified)
# Drill into indicators for this pulse
for ioc in pulse.indicators.list(limit=3):
print(ioc.type, ioc.indicator, ioc.is_active)
# Look up threat intelligence for a specific IP indicator
detail = otx.indicatordetails.lookup(
indicator_type=IndicatorType.IPV4,
value="8.8.8.8",
section=IndicatorSection.GENERAL,
)
print(detail.indicator, detail.reputation, detail.sections)
# Browse known threat adversaries
for adversary in otx.adversaries.browse(sort=AdversarySort.NAME_ASC, limit=5):
print(adversary.value, adversary.uuid)
if adversary.meta:
print(adversary.meta.country, adversary.meta.synonyms)
Full-text search over threat intelligence pulses by keyword, tag, or metadata. Returns paginated results sorted by modification date by default. Omitting the query returns all pulses. Each pulse summary includes indicator counts and author info but not the full indicator list (use get_pulse_indicators for that).
| Param | Type | Description |
|---|---|---|
| page | integer | Page number for pagination. |
| sort | string | Sort order for results. |
| limit | integer | Number of results per page. |
| query | string | Search keyword (e.g. 'cobalt strike', 'ransomware'). Omitting returns all pulses. |
{
"type": "object",
"fields": {
"next": "string or null, URL of next page",
"count": "integer, total number of matching pulses",
"results": "array of pulse summary objects",
"previous": "string or null, URL of previous page"
},
"sample": {
"data": {
"next": "https://otx.alienvault.com/otxapi/pulses/?q=ransomware&limit=5&page=2&sort=-modified",
"count": 11052,
"results": [
{
"id": "6a2951722e6ca0cbaaac430b",
"name": "Ransomware Analysis: Go Binary and Fast Encryption",
"tags": [
"double extortion",
"gentlemen"
],
"author": {
"id": "2",
"username": "AlienVault"
},
"created": "2026-06-10T11:58:42.962000",
"modified": "2026-06-10T13:44:10.922000",
"adversary": "The Gentlemen",
"description": "The Gentlemen is a Ransomware-as-a-Service operation...",
"indicator_count": 8
}
],
"previous": null
},
"status": "success"
}
}About the AlienVault API
Threat Pulses and IOCs
The search_pulses endpoint accepts a query string (e.g. 'cobalt strike', 'ransomware') alongside sort, limit, and page parameters, and returns a paginated list of pulse summaries including id, name, tags, indicator_count, and author. Once you have a pulse ID, get_pulse_details returns the full metadata: MITRE ATT&CK technique objects via attack_ids, associated malware_families, and a detailed description. get_pulse_indicators then pages through the actual IOCs in that pulse — each indicator object carries indicator (the value), type, is_active, and created timestamp.
Indicator Lookup
get_indicator_details accepts a type (IPv4, IPv6, domain, hostname, url, file, or cve) and a value, plus an optional section parameter. Available sections include general, geo, reputation, url_list, passive_dns, and malware. The response returns a reputation integer score, a pulse_info object with the count and list of pulses referencing that indicator, and (for the general section) a whois URL. Note that some section and type combinations may not have data available upstream.
Adversary Profiles
browse_adversaries returns a paginated list of known threat actors, each with a canonical value (name), description, and uuid. The list can be sorted alphabetically with the sort parameter. get_adversary_details performs case-insensitive name matching and returns the full meta object — which includes fields such as country, synonyms, refs, capabilities, and victimology — along with the adversary's uuid and description.
Recent Activity
get_recent_alerts returns the most recently modified pulses sorted by modification date, using the same response shape as search_pulses. It accepts page and limit for pagination. This is the appropriate endpoint for polling for newly published or updated threat intelligence without a specific search term.
The AlienVault API is a managed, monitored endpoint for alienvault.com — not a raw scraper you maintain. Every endpoint is automatically health-checked on a schedule, and when alienvault.com changes and a check fails, the API is automatically queued for repair and re-verified. It is built to keep working as the site underneath it changes.
This isn't an official alienvault.com API — it's an independent, maintained REST wrapper over public data. Where the source has no official API (or only a limited one), Parse gives you a stable contract over a source that never promised one, and keeps it current. Need a new endpoint or field? You can revise it yourself in plain English and the agent rebuilds it against the live site in minutes — contributing the change back to the shared API is free.
Will this API break when the source site changes?+
Is this an official API from the source site?+
Can I fix or extend this API myself if I need a new endpoint or field?+
What happens if I call an endpoint that has an issue?+
- Automate IP reputation checks by querying
get_indicator_detailswith typeIPv4to retrieve reputation scores and associated pulse counts for traffic observed in SIEM alerts. - Enrich SOAR playbooks with CVE context by calling
get_indicator_detailswith typecveand a CVE ID to surface related threat pulses. - Build a threat feed ingestion pipeline using
get_recent_alertsto poll for newly modified pulses andget_pulse_indicatorsto extract fresh IOCs. - Map adversary TTPs by fetching
get_adversary_detailsfor actor names and correlating the returnedmeta.capabilitiesandmeta.victimologyfields with internal incident data. - Search the OTX pulse library by malware family or campaign name using
search_pulseswithqueryto identify relevant pulses for a current investigation. - Enumerate all IOCs for a specific pulse using
get_pulse_indicatorswith pagination to build a blocklist of active indicators filtered byis_active. - Profile a domain during incident response using
get_indicator_detailswith typedomainand sectionspassive_dnsormalwareto see historical resolution and associated malware data.
| Tier | Price | Credits/month | Rate limit |
|---|---|---|---|
| Free | $0/mo | 100 | 5 req/min |
| Hobby | $30/mo | 1,000 | 20 req/min |
| Developer | $100/mo | 5,000 | 100 req/min |
One credit = one API call regardless of which marketplace API you call. Exceeding the rate limit returns a 429 response. Authenticate with the X-API-Key header.
Does AlienVault OTX have an official developer API?+
What does `get_indicator_details` return, and does the `section` parameter matter?+
type, indicator, reputation, and pulse_info (count plus associated pulses). The section parameter filters which additional data block is included — for example, geo adds geographic data for IP indicators, passive_dns adds historical DNS resolution records, and malware adds associated malware samples. Some section/type combinations return no data if OTX has no records for that combination.Does the API expose private OTX pulses or user-specific subscriptions?+
Is there an endpoint for querying pulse activity by a specific author or OTX user?+
search_pulses endpoint filters by keyword, tag, and sort order, and the browse_adversaries endpoint covers named threat actors — but neither supports filtering by OTX author username. You can fork this API on Parse and revise it to add an author-filtered pulse endpoint.How fresh is the data returned by `get_recent_alerts`?+
modified timestamp per pulse so you can determine when each was last updated.