GNSAC Vigil API Documentation

Introduction

The Vigil API provides programmatic access to GNSAC's Cyber Threat Intelligence Platform. Use our API to retrieve threat findings, manage monitored domains, integrate with your SIEM/SOAR, and leverage AI-powered threat analysis.

                            Base URL
                        
                            https://api.vigil.gnsac.com.tr/v1

Authentication

All API requests require authentication using Bearer tokens. Obtain an access token by authenticating with your credentials, then include it in the Authorization header.

Bearer Token Authentication

Include your access token in the Authorization header of every request:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Rate Limits

API rate limits vary by plan. Exceeding limits will return a 429 status code.

1,000

Requests / Hour (Starter)

10,000

Requests / Hour (Professional)

Unlimited

Enterprise Plan

Authentication Endpoints

POST /auth/login

Authenticate and obtain access tokens

Request Body

Parameter	Type	Required	Description
email	string	Required	User email address
password	string	Required	User password

curl -X POST https://api.vigil.gnsac.com.tr/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@company.com",
    "password": "your_password"
  }'

200 OK Success Response

                                        {
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "user": {
    "id": "usr_abc123",
    "email": "user@company.com",
    "role": "admin",
    "organization": "ACME Corp"
  }
}
                                    

Dashboard Endpoints

GET /dashboard/stats

Get dashboard statistics overview

curl https://api.vigil.gnsac.com.tr/v1/dashboard/stats \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

200 OK

                                        {
  "total_findings": 1247,
  "critical_findings": 23,
  "high_findings": 89,
  "medium_findings": 342,
  "low_findings": 793,
  "monitored_domains": 15,
  "protected_vips": 8,
  "risk_score": 72,
  "last_scan": "2026-01-28T14:30:00Z"
}
                                    

Findings Endpoints

GET /findings

List all threat findings

Query Parameters

Parameter	Type	Required	Description
severity	string	Optional	Filter by severity: critical, high, medium, low
status	string	Optional	Filter by status: new, investigating, resolved, false_positive
type	string	Optional	Finding type: credential_leak, data_breach, phishing, etc.
limit	integer	Optional	Number of results (default: 50, max: 200)
offset	integer	Optional	Pagination offset

200 OK

                                        {
  "findings": [
    {
      "id": "fnd_xyz789",
      "type": "credential_leak",
      "severity": "critical",
      "risk_score": 92,
      "title": "Employee credentials found in stealer logs",
      "matched_value": "j***@company.com",
      "source": "darkweb_forum",
      "discovered_at": "2026-01-28T12:00:00Z",
      "status": "new"
    }
  ],
  "total": 1247,
  "limit": 50,
  "offset": 0
}
                                    

GET /findings/{id}

Get finding details by ID

200 OK

                                        {
  "id": "fnd_xyz789",
  "type": "credential_leak",
  "severity": "critical",
  "risk_score": 92,
  "title": "Employee credentials found in stealer logs",
  "description": "Corporate email and password discovered in RedLine stealer logs...",
  "matched_value": "john.doe@company.com",
  "source": {
    "type": "darkweb_forum",
    "name": "XSS.is",
    "url": "[REDACTED]"
  },
  "discovered_at": "2026-01-28T12:00:00Z",
  "status": "new",
  "recommendations": [
    "Force password reset for affected user",
    "Enable MFA if not already active",
    "Check for unauthorized access in audit logs"
  ]
}
                                    

PATCH /findings/{id}/status

Update finding status

Request Body

Parameter	Type	Required	Description
status	string	Required	new, investigating, resolved, false_positive
note	string	Optional	Status change note/comment

Threat Intelligence Endpoints

GET /intelligence/ioc

Get Indicators of Compromise feed

Query Parameters

Parameter	Type	Required	Description
type	string	Optional	IOC type: ip, domain, hash, url, email
confidence	integer	Optional	Minimum confidence score (0-100)
since	datetime	Optional	IOCs updated since (ISO 8601)

200 OK

                                        {
  "iocs": [
    {
      "value": "185.220.101.45",
      "type": "ip",
      "threat_type": "c2_server",
      "confidence": 95,
      "tags": ["cobalt_strike", "apt29"],
      "first_seen": "2026-01-15T00:00:00Z",
      "last_seen": "2026-01-28T12:00:00Z"
    },
    {
      "value": "d41d8cd98f00b204e9800998ecf8427e",
      "type": "md5",
      "threat_type": "ransomware",
      "confidence": 100,
      "tags": ["lockbit", "ransomware"],
      "first_seen": "2026-01-20T00:00:00Z"
    }
  ],
  "total": 15423
}
                                    

POST /intelligence/search

Search threat intelligence database

Request Body

Parameter	Type	Required	Description
query	string	Required	Search query (IP, domain, hash, keyword)
sources	array	Optional	Filter by sources: darkweb, paste_sites, telegram, etc.

POST /intelligence/enrich

Enrich IOC with additional context

Request Body

Parameter	Type	Required	Description
value	string	Required	IOC value to enrich
type	string	Required	IOC type: ip, domain, hash, url

200 OK

                                        {
  "value": "185.220.101.45",
  "type": "ip",
  "enrichment": {
    "geolocation": {
      "country": "Russia",
      "city": "Moscow",
      "asn": "AS12345",
      "isp": "Example ISP"
    },
    "reputation": {
      "score": 5,
      "categories": ["malware", "c2"]
    },
    "related_iocs": 23,
    "threat_actors": ["APT29"],
    "campaigns": ["SolarWinds"]
  }
}
                                    

AI Analysis Endpoints

POST /ai/analyze

AI-powered threat analysis

Request Body

Parameter	Type	Required	Description
finding_id	string	Required	Finding ID to analyze
analysis_type	string	Optional	deep_dive, quick_summary, playbook_generation

200 OK

                                        {
  "analysis": {
    "summary": "Critical credential exposure detected...",
    "threat_assessment": "HIGH",
    "attack_vector": "Infostealer malware (RedLine)",
    "potential_impact": [
      "Account takeover",
      "Lateral movement",
      "Data exfiltration"
    ],
    "recommended_actions": [
      {
        "priority": 1,
        "action": "Immediately reset password",
        "timeframe": "within 1 hour"
      },
      {
        "priority": 2,
        "action": "Enable MFA",
        "timeframe": "within 24 hours"
      }
    ],
    "mitre_mapping": ["T1078", "T1539"]
  }
}
                                    

Webhook Endpoints

POST /webhooks

Create a new webhook subscription

Request Body

Parameter	Type	Required	Description
url	string	Required	Webhook endpoint URL (HTTPS required)
events	array	Required	Events to subscribe: finding.created, finding.updated, etc.
secret	string	Optional	Secret for HMAC signature verification

                                    Webhook Payload Example
                                

                                    {
  "event": "finding.created",
  "timestamp": "2026-01-28T15:30:00Z",
  "data": {
    "finding": {
      "id": "fnd_xyz789",
      "type": "credential_leak",
      "severity": "critical",
      "risk_score": 92,
      "matched_value": "j***@company.com"
    }
  },
  "signature": "sha256=abc123..."
}
                                