-
Notifications
You must be signed in to change notification settings - Fork 11
Blueliv REST API Documentation
Blueliv API allows clients to integrate Blueliv’s Cyber Threat Intelligence into their own solutions.
The use of this API will add Cyber Threat Intelligence to your existing data, addressing a comprehensive range of cyber threats including compromised URLs, domains, IPs, etc. to turn global threat data into predictive, actionable intelligence specifically for your enterprise and the unique threats it faces. Our powerful networks of specialized search engines constantly scour the web for up-to-the-minute data and delivers real-time actionable information.
Blueliv API may require authentication in some of the available resources. Please use the API token (get yours here) that is sent in the header of each HTTP request to do so. For instance:
GET /v1/crimeserver/online
Host: freeapi.blueliv.com
Authorization: Bearer AbCdEf123456
Content-Type: application/json
Accept-Encoding: gzip, deflate
You can generate a new API token once a day, but it will invalidate your current one.
Some of the API resources are protected with a rate limit, defined here. Recommendations:
- Verify the error code (429) to confirm the throttling.
- Do not make all the calls at the same time. Spread them throughout the day instead.
- You should try to make a smart fetching of data (important data, non duplicated data, etc).
Blueliv API resources are available through HTTP. They return JSON responses. Metadata fields are included in the response in order to provide information on when this data was generated (updated field) and when new data will be available (nextUpdate field). We currently have two main resources available through our API:
- Bot IPs - Data related to an infected IP that is part of a botnet. An example of a Bot IP entity is shown below. Blueliv provides three different Bot IPs feeds: the first one contains IPs that were infected by Point of Sale (POS) botnets. The second feed includes IPs infected by botnets that are not POS and the last one gathers all the data together.
{
"botnetFamily" : ["Trojan Banker"], // Botnet family where the botnet belongs to
"botVersion": "131151", // Version of the bot installed in the infected machine
"internalIp": "192.168.5.13", // Internal IP of the infected machine
"ip": "220.89.127.42", // IP of the infected machine
"country": "AU", // Country where the infected machine is located (ISO-3166-1, 2-characters version)
"countryName": "Australia", // Country name where the infected machine is located, in English
"hostname": "mark-work-laptop", // Name of the infected machine
"latitude": -37.7833, // Latitude of the infected machine
"longitude": 144.9833, // Longitude of the infected machine
"seenAt": "2015-06-01T04:35:16+0000", // Date we registered activity in the infected machine
"botnetUrl": "http ://89.110.147.222", // URL of the botnet
"botnetIp": "89.110.147.127", // IP of the botnet
"botnetType": "DRIDEX", // Type of the botnet
"operatingSystem": "Windows 7 , x64 , SP 1", // Operating System of the infected machine
"botId": "e280f9ff322e54b81af1ae238b47d9858205be7b7ee1566dc5af8fb9746a80ca", // Internal unique ID of a bot (not BotIP, because IPs are dynamic!)
"city": "Fitzroy", // City where the infected machine is located
"createdAt": "2015-06-01T12:41:40+0000", // Date when the BotIP was added to our database
"botnet": "245", // Internal number of the botnet
"destinationPort": 443, // Port where the data was robbed from the infected machine (e.g., "https://login.mywebsite.com" is port 443)
"portalUrl": "https://login.mywebsite.com", // URL of an HTTP request captured by the bot in the infected machine
"portalDomain": "mywebsite.com", // Domain of an HTTP request captured by the bot in the infected machine
"userAgent": "Mozilla 5.0" // User Agent of an HTTP request captured by the bot in the infected machine
}
- Crime Servers Data related to a server that has been used to perform some kind of malicious activity. An example of a Crime Server entity is shown below:
{
"_id": "5698945b43fe63f4caa3d2aef42b690aa6fd3979f905d89f97c5d792fbd4f2b6" // Internal unique ID. Not available in free API
"url": "http://0rrkut2012.je.ro", // URL of the Crime Server
"type": "PHISHING", // Type of the Crime Server
"subType": "UNCLASSIFIED", // Subtype of the Crime Server. Not available in free API
"country": "KR", // Country where the Crime Server is located (ISO-3166-1, 2-characters version)
"countryName": "South Korea", // Country name where the Crime Server is located, in English. Not available in free API
"city": "Seoul", // City where the Crime Server is located. Not available in free API
"status": "ONLINE", // Status of the Crime Server. Either ONLINE or OFFLINE
"latitude": 37.57, // Latitude of the Crime Server
"longitude": 126.98, // Longitude of the Crime Server
"ip": "66.232.140.226", // IP of the Crime Server
"domain": "je.ro" // Domain of the Crime Server. Not available in free API
"host": "0rrkut2012.je.ro" // Host of the Crime Server. Not available in free API
"createdAt": "2014-11-25T10:23:55+0100" // Date when the Crime Server was added to our database. Not available in free API
"updatedAt": "2014-11-25T13:53:25+0100", // Date when we received the last update of the Crime Server
"asnCidr": "66.232.136.0/21", // Range of IPs that belong to an ISP (registered via Autonomous System Number (ASN)). Not available in free API
"asnId": 9848, // Identifier of an ISP registered via ASN. Not available in free API
"asnDesc": "Enterprise Networks", // Description of the ISP registered via ASN. Not available in free API
"firstSeenAt": "2011-01-19T21:34:59+0100", // First date when we registered activity in a Crime Server
"lastSeenAt": "2011-01-19T21:34:59+0100", // Last date when we registered activity in a Crime Server
"falsePositive": false // When a Crime Server is uploaded as ONLINE but we detected it is a false positive. These Crime Servers must have "status" OFFLINE
}
Please note that sometimes one or more fields may not be present in the JSON object.
- Malware Hashes Data related to malwares that have been recently analyzed by our system. An example of a Malware Hash entity is shown below:
{
"md5": "a06b370751682d6032da63f919b96831", // MD5 of the malware
"sha1": "236fd9fc576ccb26c23830a2b07ed38c16f83de8", // SHA1 of the malware
"sha256": "3b38de63892798a7ca90e3816b3960120cc616487aca940c05159960a3510e4d", // SHA256 of the malware
"analyzedAt": "2015-07-09T15:11:21+0000", // Date when the malware was analyzed by Blueliv
"firstSeenAt": "2015-07-09T14:11:21+0000", // Date when the malware was seen for the first time
"fileType": "PE32 executable (GUI) Intel 80386, for MS Windows", // Type of file
"fileSize": 57344, // Size of the malware in Bytes
"malwareType": "TINBA", // Malware classification
"confidence": "HIGH", // Classification confidence
"architecture": "WIN32", // The type of architecture where the malware is executed.
"signatures": [{
description : "One or more applications have crashed during the analyasis : Error
: Explorer .EXE (C: \Windows\Explorer .EXE) Application Crashing Events" ,
name: "Application Crashing Events" ,
severity : 1
},
{
description : "The sample installs itself to autorun at Windows startup to
asure the persistence in the infected machine in every system restart " ,
name: "Persistence" ,
severity : 2
},
{
description : "File has been ident i f ied by AntiVirus " ,
name: "Antivirus Matched" ,
severity : 3
}]
}
- Hacktivism Data related to the number of hacktivism tweets recently created. Blueliv provides two types of feeds: the first one contains the most popular hacktivism hashtags and the second one contains the countries where more number of hacktivism tweets are coming from. An example of a these two kinds of entities are shown below:
{
"name": "United States", // Country where the Hacktivism tweet was published (Full country name version)
"iso": "US", // Country where the Hacktivism tweet was published (ISO-3166-1, 2-characters version)
"total": 409 // Number of Hacktivism tweets in this country
}
{
"hashTag": "opseaworld", // Hacktivism hashtag
"total": 139805 // Total number of tweets using this hashtag
}
- Attacking IPs Data related to the ips that are attacking/scanning services of other ips. An example of a these two kinds of entities are shown below:
{
"_id":"56978dc0e4b0569c8d6f3b96", // Value that uniquely identify an attack event
"attackType":"SERVICE_SCAN", // Taxonomi of the attack
"firstEvent":"2016-01-14T11:53:58+0000", // A timestamp specifying when was the first event of the attack
"lastEvent":"2016-01-14T11:56:06+0000", // A timestamp specifying when was the last event of the attack
"numEvents":2, // Number of events related to this attack
"source":{ // Information about the ip, port and location of attack’s source
"ip":"188.214.58.237", // This is the attacking IP
"country":"RO", // Country where the attacking IP was observed (two letters, ISO-3166)
"countryName":"Romania", // The full country name in which the attacking IP was observed
"port":[58522,52927], // List of ports used by the source to communicate with the targeted IP
"latitude":46.0, // The latitude in which the attacking IP was last observed
"longitude":25.0 // The longitude in which the attacking IP was last observed
},
"destination":{ // Information about the ip, port, service used and location of attack’s target
"ip":"xxx.xxx.6.209", // This is the ofuscated target IP of the attack
"country":"GB", // Country where the target IP was observed (two letters, ISO-3166)
"countryName":"United Kingdom", // The full country name in which the target IP was observed
"city":"London", // The city in which the target IP was observed
"port":[22], // List of ports used to stablish the communiction with the source
"serviceName":["ssh"], // List of services used in the communication. These are related with the list of ports
"latitude":51.5144, // The latitude in which the target IP was last observed
"longitude":-0.0941 // The longitude in which the target IP was last observed
},
"createdAt":"2016-01-14T12:00:00+0000", // The timestamp of when the attack was created
"updatedAt":"2016-01-14T12:00:00+0000" // The timestamp of when the attack was updated
}
Below you can find an overview of all the resources available through our API. Please note that some resources are not available through the free API. Authentication is mandatory for all the available resources. The response format is JSON.
| Resources | Rate limit | Free API |
|---|---|---|
| /v1/ip/pos/last | 2 Requests/10m | Not available |
| /v1/ip/recent | 2 Requests/1h | Not available |
| /v1/ip/last | 2 Requests/10m | Not available |
| /v1/ip/recent | 2 Requests/1h | Not available |
| /v1/ip/full/last | 2 Requests/10m | Not available |
| /v1/ip/full/recent | 2 Requests/1h | Not available |
| /v1/ip/test | - | Not available |
| /v1/crimeserver/last | 2 Requests/15m | 4 Requests/24h |
| /v1/crimeserver/recent | 2 Requests/1h | 1 Requests/24h |
| /v1/crimeserver/online | 2 Requests/24h | 1 Requests/24h |
| /v1/crimeserver/test | Unlimited | Unlimited |
| /v1/malware/lastday | 2 Requests/24h | Not available |
| /v1/malware/last | 2 Requests/15m | Not available |
| /v1/malware/recent | 2 Requests/1h | Not available |
| /v1/hacktivism/ops/last | 2 Requests/1h | Not available |
| /v1/hacktivism/ops/recent | 2 Requests/24h | Not available |
| /v1/hacktivism/ops/current | 2 Requests/1h | Not available |
| /v1/hacktivism/country/last | 2 Requests/1h | Not available |
| /v1/hacktivism/country/recent | 2 Requests/24h | Not available |
| /v1/hacktivism/country/current | 2 Requests/1h | Not available |
| /v1/attack/last | 2 Requests/10m | Not available |
| /v1/attack/recent | 2 Requests/1h | Not available |
Test resources (/{resource}/test) may be used for debug purposes. They have no rate limit.
The information provided by Bot IPs resources is cached for for 10 minutes in /last resource and 1 hour in /recent. Requesting more often than that, it will not return any more data, and will count against your rate limit usage. All end-points return the same JSON structure, shown in listing below. These resources are not available in the free version of our API.
{
"ips" : [{
"botnetFamily": [
"Trojan Banker"
],
"ip": "88.96.121.218",
"country": "GB",
"countryName": "United Kingdom",
"latitude": 51.5,
"longitude": -0.13,
"seenAt": "2015-02-23T22:05:58+0000",
"botnetUrl": "http://89.127.222.222",
"botnetIp": "89.127.222.222",
"destinationPort": 443,
"botnetType": "DRIDEX",
"operatingSystem": "Windows 7, SP1, x64",
"userAgent": "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko",
"botId" "b50fa0137f8de13148ea454d2de77e919ae4bf237fd2b51ecc46a5",
"botVersion": "131151",
"portalUrl": "https://gmail.com",
"createdAt": "2015-01-21T15:50:02+0000",
"botnet": "245"
}, {
"botnetFamily": [
"POS"
],
"ip": "87.224.121.47",
"country": "GB",
"countryName": "United Kingdom",
"latitude": 51.5,
"longitude": -0.13,
"seenAt": "2015-02-23T22:05:58+0000",
"botnetUrl": "http://5.224.87.35/Panel/loading.php",
"botnetIp": "5.224.87.35",
"botnetType": "JACKPOS",
"botId": "454d954d7f8de13148ea2de77e919ae4bf237fd2b51ecc46ab505d",
"createdAt": "2015-03-21T15:51:06+0000"
}
],
"meta": {
"totalSize": 2,
"updated": "2015-01-21T15:55:01+0000",
"nextUpdate": "2015-01-21T16:55:01+0000"
}
}
Returns Bot IPs’ updates - only POS botnets - collected during the last 10 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/10 minutes |
| Free API | Not available |
Returns Bot IPs’ updates - only POS botnets - collected during the last 60 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hour |
| Free API | Not available |
Returns Bot IPs’ updates - everything except POS botnets - collected during the last 10 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/10 minutes |
| Free API | Not available |
Returns Bot IPs’ updates - everything except POS botnets - collected during the last 60 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hour |
| Free API | Not available |
Returns full Bot IPs’ updates collected during the last 10 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/10 minutes |
| Free API | Not available |
Returns full Bot IPs’ updates collected during the last 60 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hour |
| Free API | Not available |
The information provided by the Crime Servers resources is cached for 15 minutes (6h in free API) in /last resource and 1 hour (24h in free API) in /recent. Requesting more often than that, it will not return any more data, and will count against your rate limit usage. All end-points return the same JSON
structure, shown below:
{
"crimeServers" : [{
"url" : "http://0rrkut2012.je.ro",
"type" : "PHISHING",
"country" : "KR",
"status" : "ONLINE",
"latitude" : 37.57,
"longitude" : 126.98,
"ip" : "66.232.140.226",
"updatedAt" : "2014-11-25T13:53:25+0100",
"firstSeenAt" : "2011-01-19T21:34:59+0100",
"lastSeenAt" : "2011-01-19T21:34:59+0100"
}, {
"url" : "http://hjadaolsbdhasog90.com/bot.exe",
"type" : "MALWARE",
"country" : "US",
"status" : "ONLINE",
"latitude" : 47.5839,
"longitude" : -122.2995,
"ip" : "54.213.50.75",
"updatedAt" : "2014-11-10T18:04:30+0100",
"firstSeenAt" : "2014-11-10T18:04:30+0100",
"lastSeenAt" : "2014-11-10T18:04:30+0100"
}
],
"meta": {
"totalSize": 2,
"updated": "2015-01-21T15:55:01+0000",
"nextUpdate": "2015-01-21T16:10:01+0000"
}
}
Returns every Crime Server online.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 1/24 hours |
| Free API | 1/24 hours |
Returns full Crime Servers’ feed updates collected during the last 15 minutes (or 6h in free API).
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/15 minutes |
| Free API | 4/24 hours |
Returns full Crime Servers’ feed updates collected during the last 24 hours.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 3/24 hours |
| Free API | 1/24 hours |
The information provided by the Malware Hashes resources is cached for 10 minutes in /last resource, 1 hour in /recent and 1 day in /lastday. Requesting more often than that, it will not return any more data, and will count against your rate limit usage. All end-points return the same JSON structure, shown below. Metadata fields are included in the response in order to provide information on when this data was generated (updated field) and when new data will be available (nextUpdate field).
{
"malwares" : [{
"md5": "a06b370751682d6032da63f919b96831", // MD5 of the malware
"sha1": "236fd9fc576ccb26c23830a2b07ed38c16f83de8", // SHA1 of the malware
"sha256": "3b38de63892798a7ca90e3816b3960120cc616487aca940c05159960a3510e4d", // SHA256 of the malware
"analyzedAt": "2015-07-09T15:11:21+0000", // Date when the malware was analyzed by Blueliv
"firstSeenAt": "2015-07-09T14:11:21+0000", // Date when the malware was seen for the first time
"fileType": "PE32 executable (GUI) Intel 80386, for MS Windows", // Type of file
"fileSize": 57344, // Size of the malware in Bytes
"malwareType": "TINBA", // Malware classification
"confidence": "HIGH", // Classification confidence
"architecture": "WIN32", // The type of architecture where the malware is executed.
"signatures": [{
description : "One or more applications have crashed during the analyasis : Error
: Explorer .EXE (C: \Windows\Explorer .EXE) Application Crashing Events" ,
name: "Application Crashing Events" ,
severity : 1
},
{
description : "The sample installs itself to autorun at Windows startup to
asure the persistence in the infected machine in every system restart " ,
name: "Persistence" ,
severity : 2
},
{
description : "File has been ident i f ied by AntiVirus " ,
name: "Antivirus Matched" ,
severity : 3
}]
}
],
"meta": {
"totalSize": 2,
"updated": "2015-01-21T15:55:01+0000",
"nextUpdate": "2015-01-21T16:10:01+0000"
}
}
Returns malware analyzed during the last 10 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/10 minutes |
Returns malwares analyzed during the last hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hour |
Returns malwares analyzed during the last 24 hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/24 hours |
The information provided by the Hacktivism resources is cached for 1 hour in /last resource, 24 hour in /recent and 1 hour in /current. Requesting more often than that, it will not return any more data, and will count against your rate limit usage. All end-points return the same JSON structure, shown below. Metadata fields are included in the response in order to provide information on when this data was generated (updated field) and when new data will be available (nextUpdate field).
{
"countries" : [{
"name" : "United States",
"iso" : "US",
"total" : 251
},{
"name" : "Japan",
"iso" : "JP",
"total" : 113
},{
"name" : "Greece",
"iso" : "GR",
"total" : 21
}
],
"rangeStart" : "2015-07-10T09:00:00+0000",
"rangeEnd" : "2015-07-10T10:00:00+0000",
"meta": {
"totalSize": 385,
"updated": "2015-01-21T15:55:01+0000",
"nextUpdate": "2015-01-21T16:10:01+0000"
}
}
{
"hashtags" : [{
"hashTag" : "opseaworld",
"total" : 251
},{
"hashTag" : "opkkk",
"total" : 203
},{
"hashTag" : "opkillingbay",,
"total" : 143
}
],
"rangeStart" : "2015-07-10T09:00:00+0000",
"rangeEnd" : "2015-07-10T10:00:00+0000",
"meta": {
"totalSize": 385,
"updated": "2015-01-21T15:55:01+0000",
"nextUpdate": "2015-01-21T16:10:01+0000"
}
}
Returns the more popular hacktivism hashtags during the last hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hours |
Returns the more popular hacktivism hashtags during the last 24 hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/24 hours |
Returns the more popular hacktivism hashtags during the last 30 days. In this case the data is updated every hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hours |
Returns the countries where more tweets are coming from during the last 1 hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hour |
Returns the countries where more tweets are coming from during the last 24 hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/24 hours |
Returns the countries where more tweets are coming from during the last 30 days. This data is updated every hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/24 hours |
The information provided by the Attacking IPs resources is cached for 1 hour in /recent resource and 10 minutes in /last. Requesting more often than that, it will not return any more data, and will count against your rate limit usage. All end-points return the same JSON structure, shown below. Metadata fields are included in the response in order to provide information on when this data was generated (updated field) and when new data will be available (nextUpdate field).
{
"attacks": [
{
"_id":"56978dc0e4b0569c8d6f3b96",
"attackType":"SERVICE_SCAN",
"firstEvent":"2016-01-14T11:53:58+0000",
"lastEvent":"2016-01-14T11:56:06+0000",
"numEvents":2,
"source":{
"ip":"188.214.58.237",
"country":"RO",
"countryName":"Romania",
"port":[58522,52927],
"latitude":46.0,
"longitude":25.0
},
"destination":{
"ip":"xxx.xxx.6.209",
"country":"GB",
"countryName":"United Kingdom",
"city":"London",
"port":[22],
"serviceName":["ssh"],
"latitude":51.5144,
"longitude":-0.0941
},
"createdAt":"2016-01-14T12:00:00+0000",
"updatedAt":"2016-01-14T12:00:00+0000"
}
],
"meta":{
"totalSize":1,
"updated":"2016-01-21T00:00:00+0000",
"nextUpdate":"2016-01-21T00:10:00+0000"
}
}
Returns the attacking ips from during the last 10 minutes. This data is updated every 10 minutes.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/15 minutes |
Returns the attacking ips from during the last 1 hour. This data is updated every hour.
| Information | |
|---|---|
| Authentication | Yes |
| Rate limit | 2/1 hour |
We maintain a list of SDKs to access our API:
This section shows how to programmatically get Blueliv’s data feeds. This example has been developed using Python 2.7 and the Python requests module and uses the BluelivAPI Python library, available here.
Please locate the api-python-sdk package in one of the directories that are specified by the environment variable PYTHONPATH. You can this tutorial to get more information on PYTHONPATH and on the use of modules in Python.
Please use the following command to install the current master. Note that master contains the latest revisions and is largely considered "stable" but it is not an officially packaged release. Use the latest tag number if you want the latest packaged release.
> pip install git+git://github.com/Blueliv/api-python-sdk
Run the following command to install a specific version of the package with pip (recommended). The example installs the v2.0.0 tag. You can replace the version tag with the one you want.
> pip install git+git://github.com/Blueliv/api-python-sdk@v2.0.0
If you’re using pip with requirements.txt, add the following line: git+git://github.com/Blueliv/api-python-sdk.
Our SDK can be used to get the data from all available feeds listed above. All the responses from the API are encapsulated in a Response class with the following fields:
-
status_code - HTTP status code returned by the server.
-
error_msg - Error message if there was any error getting data. If there is no error, this value will be
None. -
items - Items' data (either Bot IPs or Crime Servers).
-
total_size - Number of items.
-
updated_at - Date when the cache was generated by the server.
-
next_update - Date when the cache will be generated again.
Getting updated data from our Bot IP's feed is easy. One only has to make regular calls of the bot_ips.last() or bot_ips.recent() method from BluelivAPI class, depending on the frequency that you want to get data. These methods (see here) have one parameter as input:
-
feed_type - The feed type (as a String) that you want to access. The feeds available are:
'non-pos','pos'and'full'.
If you want to debug your application, you can call bot_ips.test() with no parameters. Please be aware that test mode always calls the same resource (/test). Therefore you will always get the same data. The output of these functions last(), recent() and test()) is a Response object.
You can run the following command to get the Python documentation for Resource class:
> pydoc sdk.api.resource.Resource
Please note that this is a single call to Blueliv’s API. If you want to maintain your local data feed up-to-date, you should probably set-up a cron job to run each time the feed is updated (next_update field).
Getting updated data from our Crime Servers’ feed is easy. One only has to make regular calls of the crime_servers.last() or crime_servers.recent() method from BluelivAPI class, depending on the frequency that you want to get data. This method (see here) should be called without parameters.
If you want to debug your application, you can call crime_servers.test() with no parameters. Please be aware that test mode always calls the same resource (/test). Therefore you will always get the same data. The output of these functions last(), recent() and test()) is a Response object.
You can run the following command to get the Python documentation for Resource class:
> pydoc sdk.api.resource.Resource
Please note that this is a single call to Blueliv’s API. If you want to maintain your local data feed up-to-date, you should probably set-up a cron job to run each time the feed is updated (next_update field). Note that /online resource may return you a large response as output (≃ 100MB). We recommend that you call it in the first time you use the API. After that you should rely on the updates given by the feed.