Domain Intelligence (V2)
Copy
curl --request POST \
--url https://api.threatbook.io/v2/domain/queryCopy
{
"response_code": 200,
"msg": "Success",
"data": {
"threat_types": [
"Whitelist"
],
"verdict": "benign",
"intel_labels": [],
"intelligences": [
{
"confidence": 100,
"expired": false,
"find_time": "2021-10-31 15:12:25",
"intel_types": [
"Whitelist"
],
"intel_labels": [],
"update_time": "2025-10-16 15:04:36"
}
],
"samples": [
{
"sha256": "fea6767de2bdc2ffe0eb2c18a767d726130566d03008e5cc96bd65b2b792e1af",
"ratio": "1/28",
"scan_time": "2025-08-25 10:57:41",
"malware_type": "Susware",
"malware_family": "CompileTime"
},
{
"sha256": "fc50c3ddfc38631382112999c6c9eddfc0325a369a65c8fa8b294bf664e7bbc0",
"ratio": "0/28",
"scan_time": "2024-11-05 07:29:11",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "5e0aeeb71c21bbe08754709f3a99c51f01cdd53cd163bb61bcad4fe51520b99c",
"ratio": "0/28",
"scan_time": "2024-10-22 09:51:22",
"malware_type": "",
"malware_family": ""
}
],
"pdns": [
{
"ip": "57.144.186.141",
"carrier": "Facebook, Inc.",
"location": {
"country": "Singapore",
"province": "Singapore",
"city": "Singapore",
"lng": "103.853519",
"lat": "1.286529",
"country_code": "SG"
}
},
{
"ip": "2a03:2880:f00c:20d:face:b00c:0:2",
"carrier": "Facebook, Inc.",
"location": {
"country": "Ireland",
"province": "Dublin",
"city": "Dublin",
"lng": "-6.260246",
"lat": "53.349764",
"country_code": "IE"
}
}
],
"whois": {
"cdate": "1991-01-20 21:00:00",
"edate": "2034-01-21 21:00:00",
"udate": "2025-01-22 08:09:14",
"alexa": "",
"registrar_name": "RegistrarSafe, LLC",
"name_server": "D.NS.FACEBOOK.COM|A.NS.FACEBOOK.COM|C.NS.FACEBOOK.COM|B.NS.FACEBOOK.COM",
"registrant_name": "Domain Admin",
"registrant_email": "[email protected]",
"registrant_company": "Meta Platforms, Inc.",
"registrant_address": "1601 Willow Rd,Menlo Park,CA,US",
"registrant_phone": "+1.6505434800"
},
"ssl_certs": [
{
"subject": "*.meta.com",
"issuer": "DigiCert SHA2 High Assurance Server CA",
"fingerprint": "0a6c23c59117f1af26fbaea710de87cad6e64b57",
"purpose": "SSL client|SSL server|Netscape SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "1",
"revoked": false,
"begin": "2022-05-09",
"end": "2022-08-07",
"status_desc": "Expired",
"serial_number": "b8088ce43dd9d87827e44377cca1f03",
"revoked_time": ""
},
{
"subject": "*.meta.com",
"issuer": "DigiCert SHA2 High Assurance Server CA",
"fingerprint": "13c409b0780dab59e6ad54f1ef45f6fb907ac1df",
"purpose": "SSL client|SSL server|Netscape SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "1",
"revoked": false,
"begin": "2023-09-18",
"end": "2023-12-17",
"status_desc": "Expired",
"serial_number": "1c6436d29f5fc547460b08b3e9b17c8",
"revoked_time": ""
},
{
"subject": "*.meta.com",
"issuer": "DigiCert SHA2 High Assurance Server CA",
"fingerprint": "058f831cae3c09ee9456227de45d03d2c5d51bbc",
"purpose": "SSL client|SSL server|Netscape SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "1",
"revoked": false,
"begin": "2023-10-07",
"end": "2024-01-05",
"status_desc": "Expired",
"serial_number": "6b77fed613e97f91bbb8545ce771269",
"revoked_time": ""
}
],
"umbrella_rank": {
"global_rank": 11447
},
"categories": {
"first_level": [
"News",
"Tool"
],
"second_level": "Training and Tools"
},
"sub_domains_count": "1000+",
"pdns_count": "2",
"update_time": "2025-10-22 15:07:02"
}
}Enrichment
Domain Intelligence
Domain Intelligence(V2) API provides detailed threat intelligence for verdict. This includes threat verdict and labes from ThreatBook Lab, as well as associated DNS, whois and contextual data for each domain.
POST
/
v2
/
domain
/
query
Domain Intelligence (V2)
Copy
curl --request POST \
--url https://api.threatbook.io/v2/domain/queryCopy
{
"response_code": 200,
"msg": "Success",
"data": {
"threat_types": [
"Whitelist"
],
"verdict": "benign",
"intel_labels": [],
"intelligences": [
{
"confidence": 100,
"expired": false,
"find_time": "2021-10-31 15:12:25",
"intel_types": [
"Whitelist"
],
"intel_labels": [],
"update_time": "2025-10-16 15:04:36"
}
],
"samples": [
{
"sha256": "fea6767de2bdc2ffe0eb2c18a767d726130566d03008e5cc96bd65b2b792e1af",
"ratio": "1/28",
"scan_time": "2025-08-25 10:57:41",
"malware_type": "Susware",
"malware_family": "CompileTime"
},
{
"sha256": "fc50c3ddfc38631382112999c6c9eddfc0325a369a65c8fa8b294bf664e7bbc0",
"ratio": "0/28",
"scan_time": "2024-11-05 07:29:11",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "5e0aeeb71c21bbe08754709f3a99c51f01cdd53cd163bb61bcad4fe51520b99c",
"ratio": "0/28",
"scan_time": "2024-10-22 09:51:22",
"malware_type": "",
"malware_family": ""
}
],
"pdns": [
{
"ip": "57.144.186.141",
"carrier": "Facebook, Inc.",
"location": {
"country": "Singapore",
"province": "Singapore",
"city": "Singapore",
"lng": "103.853519",
"lat": "1.286529",
"country_code": "SG"
}
},
{
"ip": "2a03:2880:f00c:20d:face:b00c:0:2",
"carrier": "Facebook, Inc.",
"location": {
"country": "Ireland",
"province": "Dublin",
"city": "Dublin",
"lng": "-6.260246",
"lat": "53.349764",
"country_code": "IE"
}
}
],
"whois": {
"cdate": "1991-01-20 21:00:00",
"edate": "2034-01-21 21:00:00",
"udate": "2025-01-22 08:09:14",
"alexa": "",
"registrar_name": "RegistrarSafe, LLC",
"name_server": "D.NS.FACEBOOK.COM|A.NS.FACEBOOK.COM|C.NS.FACEBOOK.COM|B.NS.FACEBOOK.COM",
"registrant_name": "Domain Admin",
"registrant_email": "[email protected]",
"registrant_company": "Meta Platforms, Inc.",
"registrant_address": "1601 Willow Rd,Menlo Park,CA,US",
"registrant_phone": "+1.6505434800"
},
"ssl_certs": [
{
"subject": "*.meta.com",
"issuer": "DigiCert SHA2 High Assurance Server CA",
"fingerprint": "0a6c23c59117f1af26fbaea710de87cad6e64b57",
"purpose": "SSL client|SSL server|Netscape SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "1",
"revoked": false,
"begin": "2022-05-09",
"end": "2022-08-07",
"status_desc": "Expired",
"serial_number": "b8088ce43dd9d87827e44377cca1f03",
"revoked_time": ""
},
{
"subject": "*.meta.com",
"issuer": "DigiCert SHA2 High Assurance Server CA",
"fingerprint": "13c409b0780dab59e6ad54f1ef45f6fb907ac1df",
"purpose": "SSL client|SSL server|Netscape SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "1",
"revoked": false,
"begin": "2023-09-18",
"end": "2023-12-17",
"status_desc": "Expired",
"serial_number": "1c6436d29f5fc547460b08b3e9b17c8",
"revoked_time": ""
},
{
"subject": "*.meta.com",
"issuer": "DigiCert SHA2 High Assurance Server CA",
"fingerprint": "058f831cae3c09ee9456227de45d03d2c5d51bbc",
"purpose": "SSL client|SSL server|Netscape SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "1",
"revoked": false,
"begin": "2023-10-07",
"end": "2024-01-05",
"status_desc": "Expired",
"serial_number": "6b77fed613e97f91bbb8545ce771269",
"revoked_time": ""
}
],
"umbrella_rank": {
"global_rank": 11447
},
"categories": {
"first_level": [
"News",
"Tool"
],
"second_level": "Training and Tools"
},
"sub_domains_count": "1000+",
"pdns_count": "2",
"update_time": "2025-10-22 15:07:02"
}
}Query Parameters
Unique identifier for API request.
You are able to get the key on "My API" page of i.threatbook.io.
Kindly note:
Please check if you have bound your access IP to the key and have the authority quotas to access this API before you interact with it.
Single domain to query.
You can exclude the following parameters from the response based on actual usage scenarios. When specifying multiple parameters, separate them with commas (note: do not include spaces).
- pdns: Resolved IP address information of the domain
- whois: Current WHOIS information of the domain
- ssl_certs: SSL certificate and related information
- intelligences: Threat intelligence
- judgments: Comprehensively determined threat type, analyzed from threat intelligence
- tags_classes: Tags related to attack groups or security incidents
- samples: Related samples
- categories: Domain classification
- sub_domains_count: Number of subdomains
- pdns_count: Number of currently resolved IPs
If you don’t specify this parameter, we will return all data by default.
Response
Show child attributes
Show child attributes
This field provides the comprehensively determined threat types.
For the returned data, see Threat Labels.
Verdict of domain, include:malicious/suspicious/unknown/benign
Related threat lables , include attack groups , malware families or security incident information.
This field is a JSON array, where each item contains the following attributes:
- label_type: Tag category, such as "industry", "gangs", "virus_family", etc.
- lables: Specific tags for attack groups or security incidents, for example: APT, OceanLotus, etc.
Threat intelligence in detail— represented as a JSON array. Each item contains the following fields:
- find_time: Time of discovery.
- update_time: Last update time.
- confidence: Confidence score.
- expired: Boolean.
falsemeans the intelligence is still valid;truemeans it has expired. - intel_types: Threat types, represented as an array. The values of the array elements are defined in Threat Labels.
- intel_tags: Tag information of this intelligence, including related attack groups or security incidents. This is a JSON array where each item follows the same field definition as tag_classes.
Related file samples — up to 20 records are returned.
This field is a JSON array, where each item contains the following attributes:
- sha256: File sha256 hash
- scan_time: Detection time
- ratio: Proportion flagged as malicious by antivirus engines
- malware_type: Malware type
- malware_family: Malware family
Resolved IP information of the domain. This is a JSON array, where each item is a JSON object with the following fields:
- ip: Currently resolved IP address
- carrier: ISP / service provider
- location: Geolocation information of the IP, represented as a JSON object with the following fields:
- country: Country
- country_code: Country code
- province: Province / state
- city: City
- lng: Longitude
- lat: Latitude
Current WHOIS information of the domain, represented as a JSON object with the following fields:
- registrar_name: Domain registrar
- name_server: Domain name servers (separated by
|) - registrant_name: Registrant name
- registrant_email: Registrant email
- registrant_company: Registrant organization
- registrant_address: Registrant address
- registrant_phone: Registrant phone number
- cdate: Registration date
- udate: Last update date
- edate: Expiration date
SSL-related certificate information of the domain.
Umbrella ranking information of the domain, represented as a JSON object with the following fields:
- global_rank: Current Alexa global rank (integer). Only rankings within the top 1,000,000 are counted. If the rank exceeds 1,000,000, -1 is returned.
Domain classification data, represented as a JSON object with the following fields:
- first_level: Primary categories (array)
- second_level: Secondary categories (string)
Number of subdomains. Displays the exact number if fewer than 1000; shows 1000+ if greater.
Number of currently resolved IPs. Displays the exact number if fewer than 1000; shows 1000+ if greater.
Latest update time of the intelligence
⌘I