Single-IOC enrichment with AI risk + hunting queries
VirusTotal-style enrichment for one indicator. Auto-detects the type from the value (no need to pass type= unless overriding).
What you get
- Aggregated source reports: every feed that has seen this indicator
- First/last seen timestamps across all sources
- Confidence (high/medium/low) — calculated from source reputation + recency
- Tags + malware family (when available)
- MITRE ATT&CK techniques referenced in the source articles
- AI risk score (0-100) and risk level
- Hunting queries: ready-to-paste Splunk SPL and Sentinel KQL
When found: false
A “not found” response is not “this is safe” — it just means we have no record. Combine with reputation services (VT, GreyNoise, etc.) for negative conclusions.
Common use cases
1. SOC triage (paste the alert IP)
GET /api/v1/lookup?ioc=110.36.30.112
2. Hash triage from sandbox detonation
GET /api/v1/lookup?ioc=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
3. CVE risk assessment
GET /api/v1/lookup?ioc=CVE-2024-12345
Returns CVE + recent articles mentioning it (proxy for “is this actively exploited”).
4. Auto-type-detect override
GET /api/v1/lookup?ioc=internal.example.com&type=domain
Avoids ambiguous detection for short or unusual strings.
Available on the Free plan with standard 10 req/min limit.
Authorizations
API key in X-API-Key header
Query Parameters
The indicator value to look up. Accepts any type — IPv4/IPv6 address, domain, URL, MD5/SHA1/SHA256/SHA512 hash, CVE ID, MITRE technique ID, or email address.
2048"110.36.30.112"
Override the auto-detected type. Useful for ambiguous values (e.g., a short hex string that could be a hash prefix or a domain).
ipv4, ipv6, domain, url, md5, sha1, sha256, sha512, email, cve, mitre_attack "ipv4"