Compromise Detection

Compromise Detection (V1)

curl --request POST \
  --url https://api.threatbook.io/v1/ioc/query

{
  "msg": "Success",
  "data": {
    "ips": {
      "183.18.2.4:8080": {
        "judgments": [
          "Dynamic IP",
          "Gateway"
        ],
        "whitelist": false,
        "family": [],
        "severity": "info",
        "APT": false,
        "threat_actor": [],
        "tag_categories": [],
        "confidence_level": "high",
        "threat_level": "safe"
      }
    }
  },
  "response_code": 200
}

POST

ioc

query

Compromise Detection (V1)

curl --request POST \
  --url https://api.threatbook.io/v1/ioc/query

{
  "msg": "Success",
  "data": {
    "ips": {
      "183.18.2.4:8080": {
        "judgments": [
          "Dynamic IP",
          "Gateway"
        ],
        "whitelist": false,
        "family": [],
        "severity": "info",
        "APT": false,
        "threat_actor": [],
        "tag_categories": [],
        "confidence_level": "high",
        "threat_level": "safe"
      }
    }
  },
  "response_code": 200
}

Query Parameters

apikey

string

required

Your API Key.

You are able to get the key on "My API" page of i.threatbook.io.

Kindly note: Please check if you have bound your access IP to the key and have the authority quotas to access this API before you interact with it.

resource

string

required

Domain names / IP address / IP:Port to query.

You are allowed to query a domain or IP address with a port to get more accurate intelligence, for example:

Domain to query:

googlenew.moy.su
IPv4 with port to query:

183.18.2.4:8080
IPv6 with port to query:

[2001:0db8:0000:0000:0001:0000:0000:0000]:80

Response

msg

string

required

Allowed value: "Success"

data

object

required

Show child attributes

data.ips

object

required

Key is an IP, value is a JSON Object. All fields for each item are shown below:

threat_level: String.
- malicious: Only when we capture some specific activities related to "C2, Sinkhole C2, MiningPool, CoinMiner, Malware", we will consider it malicious in the compromise detection scenario.
- safe: This determination is made only from the perspective of compromise detection and does not mean that there are no other malicious intelligence or activities associated with the IP or domain name beyond compromise.
confidence_level: String. There are three levels.
- high
- midium
- low
judgments: Array. Intelligence type. There are 5 malicious types considered as indicators of compromise(IOC) in this API shown as below, other malicious types in the complete Intelligence Types sheets will not be returned.
- C2
- Sinkhole C2
- MiningPool
- CoinMiner
- Malware
  
  Besides, neutral intelligence type will be returned, such as CDN, IDC, DNS, etc.
whitelist: Boolean.
- true: It is whitelisted.
- false: It is not whitelisted.
APT: Boolean
- true: It is an APT.
- false: There is not enough evidence to identify whether it is an APT.
threat_actor: Array.
family: Array. Virus or Trojan family.
tag_categories: Array. Fields for each item are shown bellow.
- tag_type: Tag type. For example, “industry”.
- tags: Specific tags are under the tag type.

data.domains

object

required

Key is an Domain name, value is a JSON Object. All fields for each item are shown below:

categories: Object. Domain categories.
- first_cats:Array.
- Second_cats:String.

Other fields are the same as the description of "ips" above.

response_code

integer

required

IP Report(Community)IP Intelligence

⌘I

API Documentation

Enrichment

Feeds

Integration

Query Parameters

Response