Introduction
The Vigil API provides programmatic access to GNSAC's Cyber Threat Intelligence Platform. Use our API to retrieve threat findings, manage monitored domains, integrate with your SIEM/SOAR, and leverage AI-powered threat analysis.
Base URL
https://api.vigil.gnsac.com.tr/v1
Platform Overview
GNSAC Vigil API is the REST API and integration layer provided to connect the Vigil platform (Early Warning + Brand Protection + Threat Intelligence) features to third-party systems.
Through this portal, endpoints, parameters, and example usages are documented for authentication, data retrieval, event/alert consumption, automation, and SOC/SIEM/SOAR integrations.
What This Proves
- ✓ The product is not "just an interface" — it has an integration-focused, enterprise-grade architecture.
- ✓ API-first approach with automation + event flow designed for SOC teams' daily operations.
Key Integration Use Cases
SIEM/SOAR Feeding
Pull findings/alerts in JSON format to Sentinel, Splunk, Elastic, TheHive, XSOAR
Webhook/Automation
Trigger automated action chains on new findings, breaches, critical IOC/CVE events
Multi-Tenant Services
Deliver services with customer/tenant separation for managed security providers
Reporting & Dashboards
Secure data retrieval for external reporting screens and executive dashboards
Platform Architecture
Dark Search
Threat Intel data collection/normalization engine + admin panel (backend)
Vigil
Customer-facing product layer (Early Warning, Brand Protection, Playbook/Alerts)
Vigil API
Enterprise integration gateway (SIEM/SOAR/Webhook/Automation)
Authentication
All API requests require authentication using Bearer tokens. Obtain an access token by authenticating with your credentials, then include it in the Authorization header.
Bearer Token Authentication
Include your access token in the Authorization header of every request:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Rate Limits
API rate limits vary by plan. Exceeding limits will return a 429 status code.
1,000
Requests / Hour (Starter)
10,000
Requests / Hour (Professional)
Unlimited
Enterprise Plan
Authentication Endpoints
POST
/auth/login
Authenticate and obtain access tokens
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| string | Required | User email address | |
| password | string | Required | User password |
curl -X POST https://api.vigil.gnsac.com.tr/v1/auth/login \ -H "Content-Type: application/json" \ -d '{ "email": "user@company.com", "password": "your_password" }'
200 OK
Success Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
"token_type": "Bearer",
"expires_in": 3600,
"user": {
"id": "usr_abc123",
"email": "user@company.com",
"role": "admin",
"organization": "ACME Corp"
}
}
Dashboard Endpoints
GET
/dashboard/stats
Get dashboard statistics overview
curl https://api.vigil.gnsac.com.tr/v1/dashboard/stats \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
200 OK
{
"total_findings": 1247,
"critical_findings": 23,
"high_findings": 89,
"medium_findings": 342,
"low_findings": 793,
"monitored_domains": 15,
"protected_vips": 8,
"risk_score": 72,
"last_scan": "2026-01-28T14:30:00Z"
}
Findings Endpoints
GET
/findings
List all threat findings
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| severity | string | Optional | Filter by severity: critical, high, medium, low |
| status | string | Optional | Filter by status: new, investigating, resolved, false_positive |
| type | string | Optional | Finding type: credential_leak, data_breach, phishing, etc. |
| limit | integer | Optional | Number of results (default: 50, max: 200) |
| offset | integer | Optional | Pagination offset |
200 OK
{
"findings": [
{
"id": "fnd_xyz789",
"type": "credential_leak",
"severity": "critical",
"risk_score": 92,
"title": "Employee credentials found in stealer logs",
"matched_value": "j***@company.com",
"source": "darkweb_forum",
"discovered_at": "2026-01-28T12:00:00Z",
"status": "new"
}
],
"total": 1247,
"limit": 50,
"offset": 0
}
GET
/findings/{id}
Get finding details by ID
200 OK
{
"id": "fnd_xyz789",
"type": "credential_leak",
"severity": "critical",
"risk_score": 92,
"title": "Employee credentials found in stealer logs",
"description": "Corporate email and password discovered in RedLine stealer logs...",
"matched_value": "john.doe@company.com",
"source": {
"type": "darkweb_forum",
"name": "XSS.is",
"url": "[REDACTED]"
},
"discovered_at": "2026-01-28T12:00:00Z",
"status": "new",
"recommendations": [
"Force password reset for affected user",
"Enable MFA if not already active",
"Check for unauthorized access in audit logs"
]
}
PATCH
/findings/{id}/status
Update finding status
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| status | string | Required | new, investigating, resolved, false_positive |
| note | string | Optional | Status change note/comment |
Threat Intelligence Endpoints
GET
/intelligence/ioc
Get Indicators of Compromise feed
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| type | string | Optional | IOC type: ip, domain, hash, url, email |
| confidence | integer | Optional | Minimum confidence score (0-100) |
| since | datetime | Optional | IOCs updated since (ISO 8601) |
200 OK
{
"iocs": [
{
"value": "185.220.101.45",
"type": "ip",
"threat_type": "c2_server",
"confidence": 95,
"tags": ["cobalt_strike", "apt29"],
"first_seen": "2026-01-15T00:00:00Z",
"last_seen": "2026-01-28T12:00:00Z"
},
{
"value": "d41d8cd98f00b204e9800998ecf8427e",
"type": "md5",
"threat_type": "ransomware",
"confidence": 100,
"tags": ["lockbit", "ransomware"],
"first_seen": "2026-01-20T00:00:00Z"
}
],
"total": 15423
}
POST
/intelligence/search
Search threat intelligence database
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| query | string | Required | Search query (IP, domain, hash, keyword) |
| sources | array | Optional | Filter by sources: darkweb, paste_sites, telegram, etc. |
POST
/intelligence/enrich
Enrich IOC with additional context
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| value | string | Required | IOC value to enrich |
| type | string | Required | IOC type: ip, domain, hash, url |
200 OK
{
"value": "185.220.101.45",
"type": "ip",
"enrichment": {
"geolocation": {
"country": "Russia",
"city": "Moscow",
"asn": "AS12345",
"isp": "Example ISP"
},
"reputation": {
"score": 5,
"categories": ["malware", "c2"]
},
"related_iocs": 23,
"threat_actors": ["APT29"],
"campaigns": ["SolarWinds"]
}
}
AI Analysis Endpoints
POST
/ai/analyze
AI-powered threat analysis
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| finding_id | string | Required | Finding ID to analyze |
| analysis_type | string | Optional | deep_dive, quick_summary, playbook_generation |
200 OK
{
"analysis": {
"summary": "Critical credential exposure detected...",
"threat_assessment": "HIGH",
"attack_vector": "Infostealer malware (RedLine)",
"potential_impact": [
"Account takeover",
"Lateral movement",
"Data exfiltration"
],
"recommended_actions": [
{
"priority": 1,
"action": "Immediately reset password",
"timeframe": "within 1 hour"
},
{
"priority": 2,
"action": "Enable MFA",
"timeframe": "within 24 hours"
}
],
"mitre_mapping": ["T1078", "T1539"]
}
}
Webhook Endpoints
POST
/webhooks
Create a new webhook subscription
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| url | string | Required | Webhook endpoint URL (HTTPS required) |
| events | array | Required | Events to subscribe: finding.created, finding.updated, etc. |
| secret | string | Optional | Secret for HMAC signature verification |
Webhook Payload Example
{
"event": "finding.created",
"timestamp": "2026-01-28T15:30:00Z",
"data": {
"finding": {
"id": "fnd_xyz789",
"type": "credential_leak",
"severity": "critical",
"risk_score": 92,
"matched_value": "j***@company.com"
}
},
"signature": "sha256=abc123..."
}