Search for a specific IOC value
Look up a specific IOC (IP, domain, hash, URL, CVE, etc.) and get back every record from across the feed plus related indicators from the same article or campaign.
Strategy
Two-stage lookup:
- Exact match against
ioc_value_normalized(btree-indexed, ~5ms). Lowercased + URL-canonicalized + IPv6-zero-compressed. - Trigram fallback if no exact match. Requires ≥3 characters and uses the
pg_trgmGIN index on the value column.
Use cases
- Triage: pasted IP from an alert → “is this in our threat intel?”
- Pivot: found a hash → fetch the article + the other IOCs from the same report
- Verification: confirm a domain hasn’t been flagged elsewhere
Related IOCs
When include_related=true (default), the response includes up to 10 IOCs from the same source article. Useful for hash → campaign expansion.
Authorizations
API key in X-API-Key header
Query Parameters
IOC value to search for. Accepts any type (IPv4/IPv6, domain, URL, MD5/SHA1/SHA256/SHA512, email, CVE ID, MITRE technique). Auto-normalized for lookup.
2"192.168.1.1"
When true (default), the response includes up to 10 IOCs from the same source article — useful for pivot/expansion workflows.
true