Rocky Raccoon API Documentation
The Rocky Raccoon API provides programmatic access to behavioral data from ~346 million Windows process execution events. Query process profiles, validate parent-child relationships, analyze suspicious events, and search across the dataset.
Base URL
https://api.rockyraccoon.ioDon't have an API key yet? Get one free — 500 requests per month, no credit card required.
Authentication
All API requests require an API key passed in the Authorization header as a Bearer token.
Authorization: Bearer et_live_xxxxxxxxxxxxxxxxxxxxxxxxAll keys use the et_live_ prefix. You can identify a key by its first 11 characters (e.g. et_live_abc) which are shown in the dashboard — the full key is only visible at creation time.
Keys are created and managed in the Developer Dashboard. Store them securely — you can only view the full key at creation time.
REST API Reference
All endpoints return JSON. Successful responses use HTTP 200. Errors use the appropriate HTTP status code with a standard error object.
/v1/process/{name}All tiersGet the behavioral profile for a Windows process, including execution count, common parent/child relationships, typical file paths, threat intel, and classification data.
| Parameter | Type | In | Description |
|---|---|---|---|
| name* | string | path | Process filename, e.g. svchost.exe |
Response
{
"process_name": "svchost.exe",
"description": "Host process for Windows services...",
"intel": {
"normal_behavior": "Runs as SYSTEM from System32, spawned by services.exe",
"suspicious_indicators": "Running from non-System32 path, unusual parent",
"abuse_patterns": "DLL side-loading, service persistence",
"detection_guidance": "Verify parent is services.exe and path is System32",
"false_positive_notes": "Multiple instances are normal",
"mitre_techniques": ["T1543.003", "T1055.012"],
"references": ["https://attack.mitre.org/techniques/T1543/003/"]
},
"classification": {
"category": "System",
"publisher": "Microsoft Corporation",
"is_lolbin": false,
"risk_level": "low",
"expected_parent": "services.exe",
"related_processes": ["services.exe", "lsass.exe", "csrss.exe"]
},
"executions": { "total": 45821093, "confidence": "high" },
"parents": {
"total": 45000000,
"top": [{ "name": "services.exe", "count": 44415000, "percentage": 98.7 }]
},
"children": {
"top": [{ "name": "wermgr.exe", "count": 5636394 }]
},
"grandparents": {
"top": [{ "name": "wininit.exe", "count": 44000000 }]
},
"paths": {
"total": 45800000,
"top": [{ "path": "c:\\windows\\system32", "count": 45387800, "percentage": 99.1 }]
},
"confidence": "high"
}Examples
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.rockyraccoon.io/v1/process/svchost.exe/v1/treeStarter+Assess the normalcy of a three-level process chain (grandparent → parent → child). Returns whether the chain has been observed and an overall assessment.
| Parameter | Type | In | Description |
|---|---|---|---|
| grandparent* | string | query | Grandparent process filename |
| parent* | string | query | Parent process filename |
| child* | string | query | Child process filename |
Response
{
"assessment": "expected",
"grandparent_parent_seen": true,
"parent_child_seen": true,
"overall_confidence": "high",
"signal_breakdown": {
"grandparent_parent_count": 1283947,
"parent_child_count": 45821093
}
}Examples
curl -H "Authorization: Bearer YOUR_API_KEY" \
"https://api.rockyraccoon.io/v1/tree?grandparent=wininit.exe&parent=services.exe&child=svchost.exe"/v1/analyzePro+Composite event analysis with risk scoring. Provide as much context as you have — process name is required, but adding parent, path, command line, or hash improves the assessment.
| Parameter | Type | In | Description |
|---|---|---|---|
| process_name* | string | body | Windows process filename |
| parent_process | string | body | Parent process filename |
| grandparent_process | string | body | Grandparent process filename |
| file_path | string | body | Full file path on disk |
| command_line | string | body | Full command line string |
| sha256 | string | body | SHA-256 hash (64 hex chars) |
Response
{
"risk_score": 7.2,
"assessment": "suspicious",
"confidence": "high",
"signal_breakdown": {
"process_prevalence": 2.1,
"parent_child_relationship": 8.5,
"file_path_normalcy": 9.0,
"hash_reputation": 0.0
}
}Examples
curl -X POST https://api.rockyraccoon.io/v1/analyze \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"process_name": "powershell.exe",
"parent_process": "excel.exe",
"file_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
}'/v1/searchPro+Semantic search across Windows processes using natural language. Uses vector embeddings to find processes matching your description.
| Parameter | Type | In | Description |
|---|---|---|---|
| q* | string | query | Natural language search query |
| limit | integer | query | Max results (1-25, default 5) |
Response
{
"results": [
{
"process_name": "mstsc.exe",
"description": "Microsoft Remote Desktop Connection client...",
"relevance_score": 0.94,
"total_executions": 2847103
},
{
"process_name": "teamviewer.exe",
"description": "TeamViewer remote access software...",
"relevance_score": 0.89,
"total_executions": 518293
}
]
}Examples
curl -H "Authorization: Bearer YOUR_API_KEY" \
"https://api.rockyraccoon.io/v1/search?q=remote%20administration%20tools&limit=5"/v1/bulk/processesPro+Look up multiple process names in a single request. Each process in the array counts as one request against your quota.
| Parameter | Type | In | Description |
|---|---|---|---|
| processes* | string[] | body | Array of process filenames |
Response
{
"results": [
{
"process_name": "svchost.exe",
"description": "Host process for Windows services...",
"total_executions": 45821093,
"confidence": "high"
},
{
"process_name": "notarealprocess.exe",
"description": null,
"total_executions": 0,
"confidence": "low"
}
]
}Examples
curl -X POST https://api.rockyraccoon.io/v1/bulk/processes \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"processes": ["svchost.exe", "lsass.exe", "csrss.exe"]}'/v1/bulk/hashesPro+Look up multiple file hashes (SHA-256 or MD5) in a single request. Each hash counts as one request against your quota.
| Parameter | Type | In | Description |
|---|---|---|---|
| hashes* | string[] | body | Array of SHA-256 (64 chars) or MD5 (32 chars) hashes |
Response
{
"results": [
{
"hash": "a1b2c3...64chars",
"hash_type": "sha256",
"filenames": ["svchost.exe"],
"total_executions": 45821093,
"sha256_hash": "a1b2c3...64chars"
}
]
}Examples
curl -X POST https://api.rockyraccoon.io/v1/bulk/hashes \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"hashes": ["a1b2c3d4e5f6..."]}'MCP Server
Rocky Raccoon implements the Model Context Protocol (MCP), allowing AI assistants like Claude to query process data directly. The MCP endpoint speaks JSON-RPC 2.0 over HTTP, using the same API key authentication as the REST API.
MCP Endpoint
https://api.rockyraccoon.io/mcpOnly tools/call requests count against your monthly quota. Protocol methods (initialize, ping, tools/list) are free.
Setup Guides
Claude Code
Add to your project's .mcp.json:
{
"mcpServers": {
"echotrail": {
"type": "url",
"url": "https://api.rockyraccoon.io/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"echotrail": {
"type": "url",
"url": "https://api.rockyraccoon.io/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}Cursor
Add to your project's .cursor/mcp.json:
{
"mcpServers": {
"echotrail": {
"url": "https://api.rockyraccoon.io/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}Tool Reference
The MCP server exposes 8 tools. Which tools are available depends on your tier — use tools/list to see what's available for your key.
lookup_processAll tiersGet comprehensive behavioral profile for a Windows process. Same data as GET /v1/process/{name}.
Input
{ "process_name": "svchost.exe" }lookup_hashAll tiersLook up a file hash (SHA-256 or MD5) to find associated filenames and execution counts.
Input
{ "hash_value": "a1b2c3d4..." }MCP-only — no REST equivalent yet. REST endpoint planned.
check_parent_childAll tiersValidate whether a parent-child process relationship has been observed in the dataset.
Input
{ "parent": "services.exe", "child": "svchost.exe" }analyze_pathAll tiersCheck whether a process has been observed running from a specific file path.
Input
{
"process_name": "svchost.exe",
"file_path": "c:\\windows\\system32\\svchost.exe"
}MCP-only — no REST equivalent yet. REST endpoint planned.
get_prevalenceAll tiersGet the prevalence (execution count and confidence level) for a process.
Input
{ "process_name": "svchost.exe" }MCP-only — no REST equivalent yet. REST endpoint planned.
check_process_treeStarter+Assess the normalcy of a three-level process chain. Same data as GET /v1/tree.
Input
{
"grandparent": "wininit.exe",
"parent": "services.exe",
"child": "svchost.exe"
}analyze_eventPro+Composite event analysis with 0-10 risk scoring. Same data as POST /v1/analyze.
Input
{
"process_name": "powershell.exe",
"parent_process": "excel.exe",
"file_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
}search_processesPro+Semantic search across Windows processes using natural language. Same data as GET /v1/search.
Input
{ "query": "remote administration tools", "limit": 5 }Quotas & Rate Limits
Each API tier has a monthly request quota and a per-minute burst limit. Both REST and MCP tools/call requests count against your quota.
| Tier | Monthly Quota | Burst Limit | Max Keys |
|---|---|---|---|
| Free | 500 | 10/min | 2 |
| Starter | 1,000 | 60/min | 5 |
| Pro | 5,000 | 120/min | 10 |
| Scale | 25,000 | 300/min | 25 |
| Enterprise | 100,000 | 600/min | 100 |
Rate-limit headers
Every response includes these headers so you can track your usage programmatically:
| Header | Description |
|---|---|
| X-RateLimit-Limit | Your monthly quota |
| X-RateLimit-Remaining | Requests remaining this month |
| X-RateLimit-Reset | Unix timestamp when quota resets (1st of next month) |
Paid tiers (Starter+) allow overage beyond the monthly quota at per-request pricing. Free tier requests are rejected with HTTP 429 after the quota is exhausted.
Tier Comparison
Which endpoints and tools you can access depends on your tier. Higher tiers include everything from lower tiers.
| Capability | Free | Starter | Pro | Scale+ |
|---|---|---|---|---|
| GET /v1/process/{name} | ✓ | ✓ | ✓ | ✓ |
| lookup_process (MCP) | ✓ | ✓ | ✓ | ✓ |
| lookup_hash (MCP) | ✓ | ✓ | ✓ | ✓ |
| check_parent_child (MCP) | ✓ | ✓ | ✓ | ✓ |
| analyze_path (MCP) | ✓ | ✓ | ✓ | ✓ |
| get_prevalence (MCP) | ✓ | ✓ | ✓ | ✓ |
| GET /v1/tree | — | ✓ | ✓ | ✓ |
| check_process_tree (MCP) | — | ✓ | ✓ | ✓ |
| POST /v1/analyze | — | — | ✓ | ✓ |
| GET /v1/search | — | — | ✓ | ✓ |
| POST /v1/bulk/processes | — | — | ✓ | ✓ |
| POST /v1/bulk/hashes | — | — | ✓ | ✓ |
| analyze_event (MCP) | — | — | ✓ | ✓ |
| search_processes (MCP) | — | — | ✓ | ✓ |
See Pricing for monthly costs, or upgrade from the Developer Dashboard.
Errors
All errors return a JSON object with an error key containing a machine-readable code and a human-readable message.
{
"error": {
"code": "unauthorized",
"message": "Invalid or missing API key"
}
}| HTTP Status | Code | Description |
|---|---|---|
| 400 | bad_request | Missing or invalid parameters |
| 401 | unauthorized | Invalid or missing API key |
| 403 | forbidden | Your tier does not have access to this endpoint |
| 404 | not_found | Process or resource not found |
| 429 | quota_exceeded | Monthly quota or burst rate limit exceeded |
| 500 | internal_error | Unexpected server error |
MCP error codes
MCP responses use JSON-RPC 2.0 error codes instead of HTTP status codes:
| Code | Meaning |
|---|---|
| -32700 | Parse error (invalid JSON) |
| -32601 | Method not found |
| -32602 | Invalid parameters (missing required arguments) |
| -32603 | Internal error |
| -32000 | Unauthorized or quota exhausted |
| -32001 | Tier access denied |
Ready to get started?
500 free requests per month. No credit card required.