curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/lookup?ioc=110.36.30.112"{
"meta": {
"generated_at": "2026-05-16T05:00:00Z",
"feed_version": "1.0",
"source": "SOC Defenders"
},
"data": {
"found": true,
"ioc_value": "110.36.30.112",
"ioc_type": "ipv4",
"confidence": "high",
"first_seen": "2026-05-16T04:23:18Z",
"last_seen": "2026-05-16T04:23:18Z",
"total_occurrences": 3,
"reporting_sources": 2,
"threat_type": "malware_hosting",
"malware_family": "Mozi",
"tags": [
"32-bit",
"elf",
"mips",
"Mozi"
],
"mitre_techniques": [],
"risk": {
"score": 78,
"level": "high"
},
"hunting": {
"detection_guidance": "Alert on outbound connections to this IP from production servers...",
"splunk_query": "index=firewall dest_ip=110.36.30.112",
"kql_query": "DeviceNetworkEvents | where RemoteIP == '110.36.30.112'"
},
"sources": [
{
"source_feed": "URLhaus",
"source_category": "threat-feed",
"reference_url": "https://urlhaus.abuse.ch/host/110.36.30.112/",
"first_seen": "2026-05-16T04:23:18Z",
"last_seen": "2026-05-16T04:23:18Z",
"occurrence_count": 1,
"confidence": "high",
"context": "malware_hosting: 32-bit, elf, mips, Mozi"
}
]
}
}VirusTotal-style enrichment for one indicator. Auto-detects the type from the value (no need to pass type= unless overriding).
found: falseA “not found” response is not “this is safe” — it just means we have no record. Combine with reputation services (VT, GreyNoise, etc.) for negative conclusions.
GET /api/v1/lookup?ioc=110.36.30.112
GET /api/v1/lookup?ioc=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
GET /api/v1/lookup?ioc=CVE-2024-12345
Returns CVE + recent articles mentioning it (proxy for “is this actively exploited”).
GET /api/v1/lookup?ioc=internal.example.com&type=domain
Avoids ambiguous detection for short or unusual strings.
Available on the Free plan with standard 10 req/min limit.
curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/lookup?ioc=110.36.30.112"{
"meta": {
"generated_at": "2026-05-16T05:00:00Z",
"feed_version": "1.0",
"source": "SOC Defenders"
},
"data": {
"found": true,
"ioc_value": "110.36.30.112",
"ioc_type": "ipv4",
"confidence": "high",
"first_seen": "2026-05-16T04:23:18Z",
"last_seen": "2026-05-16T04:23:18Z",
"total_occurrences": 3,
"reporting_sources": 2,
"threat_type": "malware_hosting",
"malware_family": "Mozi",
"tags": [
"32-bit",
"elf",
"mips",
"Mozi"
],
"mitre_techniques": [],
"risk": {
"score": 78,
"level": "high"
},
"hunting": {
"detection_guidance": "Alert on outbound connections to this IP from production servers...",
"splunk_query": "index=firewall dest_ip=110.36.30.112",
"kql_query": "DeviceNetworkEvents | where RemoteIP == '110.36.30.112'"
},
"sources": [
{
"source_feed": "URLhaus",
"source_category": "threat-feed",
"reference_url": "https://urlhaus.abuse.ch/host/110.36.30.112/",
"first_seen": "2026-05-16T04:23:18Z",
"last_seen": "2026-05-16T04:23:18Z",
"occurrence_count": 1,
"confidence": "high",
"context": "malware_hosting: 32-bit, elf, mips, Mozi"
}
]
}
}Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
API key in X-API-Key header
The indicator value to look up. Accepts any type — IPv4/IPv6 address, domain, URL, MD5/SHA1/SHA256/SHA512 hash, CVE ID, MITRE technique ID, or email address.
2048"110.36.30.112"
Override the auto-detected type. Useful for ambiguous values (e.g., a short hex string that could be a hash prefix or a domain).
ipv4, ipv6, domain, url, md5, sha1, sha256, sha512, email, cve, mitre_attack "ipv4"