EyeOnThreat provides Feed or API access to a relevant part of Cyber Threat Intelligence Information gathered, analyzed and released by Lutech and multiple open and private sources

pip install eyeonthreat==1.1



EyeOnThreat™ provides Feed or API access to a relevant part of Cyber Threat Intelligence Information gathered, analyzed and released by:

  • Lutech ThreatOculus™ threat researchers and analysts team
  • Lutech ThreatCure™ breach detection and incident response team
  • Lutech ethical hacking and vulnerability research team
  • Multiple open and private sources

The possibility to access a contextualized and enriched database of threats through a single and reliable channel is a fundamental element in a cyber security strategy. Knowledge of where risks are created and evolve is essential in a process of verification and validation, usally performed by structures facilities like SOCs and CERTs. It's a service for gathering, classifying, enriching and distributing or giving access to various types of intelligence information, collected by multiple and non-homogenous sources, related to consolidated or emerging cyber threats.

Project home page: https://www.eyeonthre.at


EyeOnThreat™ is able to extract a number of entities used to contextualize and classify cyber threat intelligence information. Each single information is enriched, classified and transformed to provide more details that can be used as an Indicator of Compromise (IoC) and more generally as actionable intelligence. Every collected data is saved in a single location, the EyeOnThreat Global Threat Repository and made available throught EyeOnThreat™ Services:

  • IP: IP addresses referable to threats and/or malicious actors
  • Domain: Domains used to host and distribute malware, unreliable domains or involved in other threats
  • URL: URLs known as phishing sites, websites that hosts Exploit Kits or involved in other threats
  • E-mail: Emails used for spam, phishing or malware distribution campaigns
  • User Credential: Compromised emails or accounts
  • Credit Card: Stolen credit cards that are sold on blackmarkets, published on forums or discovered in other sources
  • Malware Sample: File recognized as malicious and related to old/new threats or exploit kits
  • Exploit Kit: Up-to-date informations about exploit kits

RestFul API

The access to the information present in the Global Threat Database is guaranteed in a rapid and reliable way by a RESTful API system:

  • Cyber Threat Feed: Feed mode provides access to a dataset of information in CSV format, useful for the classification and prioritization of threats in automated detection and blocking mechanisms.

  • Cyber Threat Hunting: Hunting mode provides the possibility to search for information and indicators stored in the database. Through this mode it is possible to investigate on a given entity among those stored, looking for clues useful to detect threats.


To use EyeOnThreat you need to have a valid API token. You can request a free token with usage limits here https://www.eyeonthre.at/site/#try .

To request a full access to api services contact us at info@lutech[.]it


To use EyeOnThreat Python library:

Download from Git Repo:

git clone https://github.com/L-TMS-CERT/EyeOnThreat.git

OR Install from Pypi:

pip install eyeonthreat

Import Library:

from eyeonthreat import eyeonthreat

Get API Token :

NOTE: This method allow you to retrieve the TOKEN used by EyeOnThreat™.

auth = eyeonthreat.Authentication()


    "data": {"token": "ImKlcnRhLOpwdzo9hkplc2ki.DA8xyg.3TidfdlOkGwpKNsfdsTx8Ht-12sIze6rQ"},
    "service": {"status": "valid"}

Services Initalization:

feed = eyeonthreat.Feed(token)
hunting = eyeonthreat.Hunting(token)
info = eyeonthreat.Info(token)

Services Example:

Retrieve Threat Feed

feed.getFeed() # Retrieve All indicator for the last 24h
feed.getFeedEntity("ip") # Retrieve IP Type indicator for the last 24h
feed.getFeedEntity("url") # Retrieve URL Type indicator for the last 24h
feed.getFeedCategory("ip","Malware") # Retrieve Malware IP Type indicator for the last 24h 
feed.getFeedSubCategory("ip","Malware","CnC") # Retrieve Malware IP Type indicator for the last 24h where subcategory is CnC

NOTE: You can change the time range choosing one of the following:

Time Range Description
Last1h Last Hour
Last24h Last 24 Hours (Default Range)
Last7d Last 7 days
Last30d Last 30 days
Today From 00:00 of current day to now
Week From 00:00 of first day of current week to now
Month From 00:00 of first day of current month to now
feed.getFeed("Last7d") # Retrieve All indicator in the last 7 days
feed.getFeedEntity("ip","Last1h") # Retrieve IP Type indicator for last 1 hour

Search Threat Information

hunting.searchIPv4("value") # Search Information about IP
hunting.searchURL("value") # Search Information about Domain
hunting.searchURL("value") # Search Information about URL
hunting.searchHash("value") # Search Information about HASH
hunting.searchEmail("value") # Search Information about EMAIL


info.getCategories() # Returns a list of Category and Subcategory that can be used to filter a csv feed

Usage Limitatons

  • Rate Limit: The API rate limit is set to 1 requests per second. If this limit is exceeded, the request is rejected.

  • Query Limit: Free accounts have a queries limit set to 100 queries per day.Exceeding this limit will result in blocked account.


Full API Documentation is available at https://www.eyeonthre.at/site/api.html .