A feed is a mechanism that enables the continuous and automated transmission of data from the Axur Platform API to external systems or platforms. Currently, the platform offers two feed delivery modes, both using the same data format (JSON) and the same creation flow:
Feed Pull – data is retrieved on demand (polling)
Feed Push (Webhook 2.0) – data is automatically sent to a configured endpoint
In the cybersecurity context, feeds can be used to provide data about digital threats such as phishing, data leaks, compromised credentials, and other potential risks, enabling integrations with SIEMs and other external systems.
Feed Types
Feed Pull
In Pull mode, the external system makes HTTP requests to retrieve feed data whenever necessary. Recommended for:
Scheduled integrations
Batch processing
Environments that already use polling
Feed Push
In Push mode, also known as Webhook 2.0, events are automatically sent by the Axur Platform to a customer-defined endpoint as soon as new events are generated. Recommended for:
Automated integrations
SIEMs
Use cases requiring low latency and continuous delivery
Difference between Feed Pull and Feed Push
Feature | Feed Pull | Feed Push |
Delivery method | On-demand retrieval | Automatic delivery |
Polling required | Yes | No |
Latency | Depends on polling frequency | Near real-time |
Data format | JSON | JSON (same format) |
How to create a feed
First, you need to access the API & Integrations page on the platform (https://one.axur.com/api-integrations) and go to the "Feeds" section.
To start the creation flow, click on the “Add feed” button. From there, you can choose to use a template or create your feed from scratch.
Using a template
The platform will suggest a list of the main use cases.
After selecting a template, the final step will be to review the settings. You can edit them if you want something different from what was suggested. If no template suits your use case, click on “Skip templates.”
Creating the Feed from Scratch
If you chose to "Skip templates," you will need to set all the conditions for your feed.
You must choose to create a feed of Tickets or Credentials.
👉 Since they are different APIs, it is not possible to create a single feed for both. Therefore, if you want to obtain data from both types, you will need to create two feeds.
Select the delivery mode
At this stage, you must choose how the data will be delivered:
Pull – retrieval via HTTP requests
Push (Webhook 2.0) – automatic delivery to a configured endpoint
Regardless of the option selected, the data format and the available filters are the same.
2. You must fill in the specifications, considering that:
Event date
This is the date that will be considered for event updates. It is a mandatory field.
For credentials, this field will be pre-filled. For tickets, the selectable options will be:
First detection (ticket.creation.date): considers only the first detection of the ticket or credential. If the same ticket has other detections, they will not appear in your feed.
Any detection (open.date): considers all detections of the ticket.
Registered incident (incident.date): considers only the date when the ticket was registered as an incident. Tickets that have not become incidents will not appear in your feed.
Takedown requested (takedown.request.date): considers only the date the takedown was requested. Tickets without a takedown request will not appear in your feed.
Any ticket update (ticket.last-update.date): considers any and all updates to the ticket. For example: adding notes, adding/removing tags, registering an incident, requesting a takedown, etc. All these actions will trigger feed updates.
Ticket parameters
In this field, you must define the filters for your feed. By clicking “Show tips,” you will see an example and tips for creating the feed.
If you choose more than one field, you must use an & between parameters. For example:
type=fake-social-media-profile&creation.collector=facebook
This field is optional. If you leave it blank, you will receive all events from the date selected in the “Event date” field.
Feed title
The final step is to define a title for your feed. Although optional, this step can help a lot with your organization. This is the only setting that can be edited after the feed is saved.
Feed list
In the feed list, you will see all feeds created by your team's manager users on the Axur platform. Feeds have three possible statuses:
Green: when the feed received at least one request in the last 24 hours.
Yellow: when the feed received no requests in the last 24 hours.
Empty: when the feed has never received requests.
In the feed list, you can see which user created the feed and who last edited it. Additionally, it is also possible to see when the last query to the feed was made and which ticket was last retrieved.
Use case examples
Before creating a feed, you should consider which use case you want to apply it to. Here are some examples:
Use case: I want to receive detections of fake social media profiles, specifically from Facebook.
Event date: Any detection (open.date)
Parameters: type=fake-social-media-profile&creation.collector=facebook
Title: Fake Facebook profiles
Use Case: I want to receive tickets from the Deep & Dark Web of all types, starting from January 2024.
Event Date: Any detection (open.date)
Parameters: type=dw-activity,data-exposure-message,data-exposure-website,data-sale-message,data-sale-website,fraud-tool-scheme-message,fraud-tool-scheme-website,suspicious-activity-message,suspicious-activity-website,infrastructure-exposure,ransomware-attack&open.date=ge2024-01-01
Title: Deep & Dark Web Detections (Since 01/01/2024)
Use case: I want to receive phishing tickets that had a takedown request.
Event date: Takedown requested (takedown.request.date)
Parameters: type=phishing
Title: Phishings with Takedown request
Use case: I want to receive all tickets that became incidents.
Event date: Incident registered
Parameters: Leave blank.
Title: Platform incidents
Request and response
As it is a request on the Axur platform's API, the API Key must always be included as authentication. For more information about authentication, consult this section of the technical documentation.
Example of a request response with no updates
{
"feedData": {
"id": "f48ba821-2880-48fc-bc0e-dffe8312ad4d",
"title": "Detecções de Executivos & VIPs",
"url": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/f48ba821-2880-48fc-bc0e-dffe8312ad4d",
"createdAt": 1728325096238,
"lastRequest": 1728325104483,
"isActive": true,
"customerKey": "CTA",
"params": "type=executive-fake-social-media-profile,executive-personalinfo-leak,executive-credential-leak,executive-mobile-phone,executive-card-leak",
"eventDate": "open.date",
"nextPage": 1,
"feedType": "ticket"
},
"collectionData": {
"tickets": [],
"pageable": {
"pageNumber": 1,
"pageSize": 50,
"total": 0
}
}
}Example of a request response with updates
{
"feedData": {
"id": "31575706-f762-4c56-aafc-78542c9e670b",
"title": "Phishings marcados como incidente",
"url": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/31575706-f762-4c56-aafc-78542c9e670b",
"lastDataRetrieved": "z5qb1r",
"createdAt": 1728336214469,
"lastRequest": 1728336221044,
"isActive": true,
"customerKey": "ORMUS",
"params": "type=phishing&incident.date=ge2021-01-01",
"eventDate": "incident.date",
"nextPage": 1,
"feedType": "ticket"
},
"collectionData": {
"tickets": [
{
"ticket": {
"reference": "https://ormuspay.wixsite.com/ormuspay/phish-pt",
"ticketKey": "z5qb1r",
"customerKey": "ORMUS",
"creation.user": "10426",
"last-update.date": "2023-01-10T17:34:45Z",
"creation.customer": "ORMUS",
"creation.date": "2022-07-22T13:43:18Z"
},
"detection": {
"creation.user": "10426",
"close.date": "2022-07-26T12:20:36Z",
"treatment.type": "axur",
"incident.date": "2022-07-22T13:43:19Z",
"takedown.notification.date": [
"2022-07-25T17:24:41Z"
],
"isp": "Wix.com Ltd.",
"treatment.date": "2022-07-25T17:22:39Z",
"type": "phishing",
"takedown.resolution": "resolved",
"resolution": "resolved",
"assets": [
"ORMUSP"
],
"host": "ormuspay.wixsite.com",
"takedown.request.date": "2022-07-25T17:19:38Z",
"group": [
null,
"efc_autonotification_failed",
"efc_af_second_verification",
"reup_validation"
],
"takedown.verification.last.type": "auto",
"open.date": "2022-07-22T13:43:18Z",
"takedown.notification.last.type": "manual",
"takedown.reup": "false",
"ip": "199.15.163.145",
"takedown.close.date": "2022-07-26T12:20:36Z",
"creation.customer": "ORMUS",
"domain.registrar": "GoDaddy.com, LLC",
"takedown": "true",
"resolution.reason": "",
"takedown.verification.date": [
"2022-07-26T00:35:12Z",
"2022-07-26T06:52:39Z"
],
"domain": "wixsite.com",
"takedown.uptime": "68155281",
"takedown.close.type": "manual",
"status": "closed"
},
"texts": [],
"snapshots": {
"ipFilter": {
"filtering": false,
"countries": []
},
"content": {
"title": "Login ormus-pay | Ormuspay",
"httpStatusCode": {
"code": 200,
"message": "OK"
},
"hashMD5": {
"value": "ed1e1924300caf7f9902b15df7472cca"
}
},
"isp": {
"location": {
"country": {
"name": "United States"
}
},
"name": "Wix.com Ltd."
},
"digitalLocation": {
"url": "https://ormuspay.wixsite.com/ormuspay/phish-pt",
"host": {
"name": "ormuspay.wixsite.com",
"domain": {
"name": "wixsite.com"
},
"ip": {
"address": "199.15.163.145"
}
}
},
"referenceInfo": {
"originalReference": "https://ormuspay.wixsite.com/ormuspay/phish-pt",
"redirectChain": [],
"finalReference": "https://ormuspay.wixsite.com/ormuspay/phish-pt"
},
"domainInfo": {
"status": "Registered",
"registrar": "GoDaddy.com, LLC",
"registrarEmail": "[email protected]",
"registrant": "Registration Private",
"registrantEmail": "Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=wixsite.com",
"nameServers": {
"hostnames": [
"dns1.p07.nsone.net",
"dns2.p07.nsone.net",
"dns3.p07.nsone.net",
"dns4.p07.nsone.net"
],
"ipAddresses": [
null,
null,
null,
null,
null,
null,
null,
null
]
}
}
}
}
],
"pageable": {
"pageNumber": 1,
"pageSize": 50,
"total": 1
}
}
}FAQ
What is ?dry-run=true?
This parameter is used to test the feed and should be added at the end of the URL. For example: https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/f27afda8-2e5f-4f55-9243b-4941b49ee51e?dry-run=true.
This parameter facilitates testing because it will prevent the feed's update pointer from moving. Once tested and validated that the correct events are coming through, you should remove this parameter so the feed pointer moves, and you do not receive already-read updates.
What is the difference between Feeds and Webhooks?
With Feeds, the user can choose exactly which events they want to receive, but the feed must be queried to send these events. In other words, the data is not sent in real-time and is not automatically updated.
With Webhooks, the user receives all available events without filtering. Additionally, Webhooks do not need to be queried; the events are sent in real-time.
I want a feed for both tickets and credentials. How can I do that?
Since they are different APIs, you will need to create two separate feeds: one to retrieve credential detections and another to retrieve ticket detections. It is not possible to receive both types in the same feed.
If you have any questions, feel free to reach out at [email protected] 😊