IP Intelligence (V2)
Copy
curl --request POST \
--url https://api.threatbook.io/v2/ip/queryCopy
{
"response_code": 200,
"msg": "Success",
"data": {
"basic": {
"carrier": "Cloudflare, Inc.",
"location": {
"country": "United States",
"province": "",
"city": "",
"lng": "-101.407912",
"lat": "39.765054",
"country_code": "US"
}
},
"threat_types": [
"Whitelist"
],
"verdict": "benign",
"inbound_verdict": "benign",
"outbound_verdict": "benign",
"intel_labels": [],
"is_highly_active": false,
"seen_in_honeypot": false,
"intelligences": [
{
"confidence": 100,
"expired": false,
"find_time": "2020-07-02 08:23:09",
"intel_types": [
"Whitelist"
],
"intel_labels": [],
"update_time": "2023-05-14 14:37:15"
},
{
"confidence": 100,
"expired": true,
"find_time": "2019-05-27 19:34:00",
"intel_types": [
"Whitelist"
],
"intel_labels": [],
"update_time": "2020-07-01 14:52:24"
}
]
},
"samples": [
{
"sha256": "08e9828b447cd3b12ddadf97985f858458d44769a04e7673f72249fc369f5eea",
"ratio": "9/26",
"scan_time": "2018-10-12 20:57:32",
"malware_type": "SoftwareBundler",
"malware_family": "ICLoader"
},
{
"sha256": "75f515c886b417aa22e41d3b98630a5fe3b7254c25b6eb9c1a0d45d8b02c65b3",
"ratio": "18/26",
"scan_time": "2018-10-11 23:43:26",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "c0d40937bc77fa5facd4f08a7f2a74e4b8892cc6306cbf472a1a5045c0c0652a",
"ratio": "12/26",
"scan_time": "2018-10-11 19:23:38",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "66c302f6557ab3383ae559f5214232e64087c56c76b08fc75380eded732b37cb",
"ratio": "6/26",
"scan_time": "2018-09-21 05:31:35",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "1baf005a5d0f6ccc544191290cad02fc686aa065ab963b30f3e252318d9f71c4",
"ratio": "6/26",
"scan_time": "2018-09-21 05:26:13",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "efd4c9d36bf59e9c4f3d0e36784c274d890267535a3182b073df1db1ccbd8dcb",
"ratio": "1/26",
"scan_time": "2018-05-23 03:05:24",
"malware_type": "",
"malware_family": ""
}
],
"asn": {
"rank": 4,
"info": "CLOUDFLARENET, US",
"number": 13335
},
"ssl_certs": [
{
"protocol": "https",
"port": 443,
"period": [],
"digital_certificate": {
"sha256": "73b8ed5becf1ba6493d2e2215a42dfdc7877e91e311ff5e59fb43d094871e699",
"subject": "cloudflare-dns.com",
"issuer": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
"fingerprint": "3ba7e9f806eb30d2f4e3f905e53f07e9acf08e1e",
"purpose": "SSL client|SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "0",
"revoked": false,
"begin": "2025-01-02",
"end": "2026-01-21",
"status_desc": "Valid",
"serial_number": "27dc8c5e17294aec9ed3f67728e8a08",
"revoked_time": ""
}
},
{
"protocol": "https",
"port": 443,
"period": [],
"digital_certificate": {
"sha256": "f380cf2805268c47602eea2941b5f6f361c453d0ad3a504652cc83c53bd8e198",
"subject": "kosmos4770.top",
"issuer": "WE1",
"fingerprint": "e753b0d29a651af5ebd3f19db66608cea4b86fcd",
"purpose": "SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withECDSA",
"status": "1",
"revoked": false,
"begin": "2025-06-20",
"end": "2025-09-18",
"status_desc": "Expired",
"serial_number": "ddfa47ab063dfbc40ea0f14f3ac27b32",
"revoked_time": ""
}
},
{
"protocol": "https",
"port": 443,
"period": [],
"digital_certificate": {
"sha256": "9f1d849073f8b93b6032dcb0148a936c3dd77e2e4ebe9f6ba6b0f75d71107cf9",
"subject": "www.paradoxfwc.com",
"issuer": "WE1",
"fingerprint": "de76416fb1695a995bbc96baa8a35e86c6e2f91d",
"purpose": "SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withECDSA",
"status": "1",
"revoked": false,
"begin": "2025-06-28",
"end": "2025-09-26",
"status_desc": "Expired",
"serial_number": "c50cee2014a63c2911c04140c3a4b2a2",
"revoked_time": ""
}
}
],
"update_time": "2023-05-14 14:37:15",
"pdns_count": "993",
"scene": ""
}Enrichment
IP Intelligence
IP Intelligence(V2) API provides detailed threat intelligence for both inbound and outbound IP addresses. This includes threat verdict and labes from ThreatBook Lab, as well as associated internet asset and contextual data for each IP address.
POST
/
v2
/
ip
/
query
IP Intelligence (V2)
Copy
curl --request POST \
--url https://api.threatbook.io/v2/ip/queryCopy
{
"response_code": 200,
"msg": "Success",
"data": {
"basic": {
"carrier": "Cloudflare, Inc.",
"location": {
"country": "United States",
"province": "",
"city": "",
"lng": "-101.407912",
"lat": "39.765054",
"country_code": "US"
}
},
"threat_types": [
"Whitelist"
],
"verdict": "benign",
"inbound_verdict": "benign",
"outbound_verdict": "benign",
"intel_labels": [],
"is_highly_active": false,
"seen_in_honeypot": false,
"intelligences": [
{
"confidence": 100,
"expired": false,
"find_time": "2020-07-02 08:23:09",
"intel_types": [
"Whitelist"
],
"intel_labels": [],
"update_time": "2023-05-14 14:37:15"
},
{
"confidence": 100,
"expired": true,
"find_time": "2019-05-27 19:34:00",
"intel_types": [
"Whitelist"
],
"intel_labels": [],
"update_time": "2020-07-01 14:52:24"
}
]
},
"samples": [
{
"sha256": "08e9828b447cd3b12ddadf97985f858458d44769a04e7673f72249fc369f5eea",
"ratio": "9/26",
"scan_time": "2018-10-12 20:57:32",
"malware_type": "SoftwareBundler",
"malware_family": "ICLoader"
},
{
"sha256": "75f515c886b417aa22e41d3b98630a5fe3b7254c25b6eb9c1a0d45d8b02c65b3",
"ratio": "18/26",
"scan_time": "2018-10-11 23:43:26",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "c0d40937bc77fa5facd4f08a7f2a74e4b8892cc6306cbf472a1a5045c0c0652a",
"ratio": "12/26",
"scan_time": "2018-10-11 19:23:38",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "66c302f6557ab3383ae559f5214232e64087c56c76b08fc75380eded732b37cb",
"ratio": "6/26",
"scan_time": "2018-09-21 05:31:35",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "1baf005a5d0f6ccc544191290cad02fc686aa065ab963b30f3e252318d9f71c4",
"ratio": "6/26",
"scan_time": "2018-09-21 05:26:13",
"malware_type": "",
"malware_family": ""
},
{
"sha256": "efd4c9d36bf59e9c4f3d0e36784c274d890267535a3182b073df1db1ccbd8dcb",
"ratio": "1/26",
"scan_time": "2018-05-23 03:05:24",
"malware_type": "",
"malware_family": ""
}
],
"asn": {
"rank": 4,
"info": "CLOUDFLARENET, US",
"number": 13335
},
"ssl_certs": [
{
"protocol": "https",
"port": 443,
"period": [],
"digital_certificate": {
"sha256": "73b8ed5becf1ba6493d2e2215a42dfdc7877e91e311ff5e59fb43d094871e699",
"subject": "cloudflare-dns.com",
"issuer": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
"fingerprint": "3ba7e9f806eb30d2f4e3f905e53f07e9acf08e1e",
"purpose": "SSL client|SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withRSA",
"status": "0",
"revoked": false,
"begin": "2025-01-02",
"end": "2026-01-21",
"status_desc": "Valid",
"serial_number": "27dc8c5e17294aec9ed3f67728e8a08",
"revoked_time": ""
}
},
{
"protocol": "https",
"port": 443,
"period": [],
"digital_certificate": {
"sha256": "f380cf2805268c47602eea2941b5f6f361c453d0ad3a504652cc83c53bd8e198",
"subject": "kosmos4770.top",
"issuer": "WE1",
"fingerprint": "e753b0d29a651af5ebd3f19db66608cea4b86fcd",
"purpose": "SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withECDSA",
"status": "1",
"revoked": false,
"begin": "2025-06-20",
"end": "2025-09-18",
"status_desc": "Expired",
"serial_number": "ddfa47ab063dfbc40ea0f14f3ac27b32",
"revoked_time": ""
}
},
{
"protocol": "https",
"port": 443,
"period": [],
"digital_certificate": {
"sha256": "9f1d849073f8b93b6032dcb0148a936c3dd77e2e4ebe9f6ba6b0f75d71107cf9",
"subject": "www.paradoxfwc.com",
"issuer": "WE1",
"fingerprint": "de76416fb1695a995bbc96baa8a35e86c6e2f91d",
"purpose": "SSL server|Any Purpose|Any Purpose CA|OCSP helper",
"verify": "SHA256withECDSA",
"status": "1",
"revoked": false,
"begin": "2025-06-28",
"end": "2025-09-26",
"status_desc": "Expired",
"serial_number": "c50cee2014a63c2911c04140c3a4b2a2",
"revoked_time": ""
}
}
],
"update_time": "2023-05-14 14:37:15",
"pdns_count": "993",
"scene": ""
}Query Parameters
Your API Key.
You are able to get the key on "My API" page of i.threatbook.io.
Kindly note:
Please check if you have bound your access IP to the key and have the authority quotas to access this API before you interact with it.
Single IPv4 or IPv6 address to query.
You can exclude the following parameters from the response based on actual usage scenarios. When specifying multiple parameters, separate them with commas (note: do not include spaces).
- asn: ASN information.
- ssl_certs: SSL certificate and related information.
- intelligences: Threat intelligence.
- judgments: Threat types derived from threat intelligence through comprehensive analysis.
- tags_classes: Tags related to attack groups or security incidents.
- samples: Related samples.
- update_time: Latest update time of the intelligence.
- pdns_count: Number of currently pointing domains.
- scene: Application scenario.
If you don’t specify this parameter, we will return all data by default.
Response
Show child attributes
Show child attributes
The basic information of this IP address, which is a JSON object with the following attributes:
- carrier: ISP / service provider
- location: Geolocation information of the IP, represented as a JSON object with the following fields:
- country: Country
- country_code: Country code
- province: Province / state
- city: City
- lng: Longitude
- lat: Latitude
This field provides the comprehensively determined threat types.
For the returned data, see Threat Labels.
The overall verdict of IP address, includes:malicious/suspicious/unknown/benign.
Inbound verdict of IP address, includes:malicious/suspicious/unknown/benign.
Outbound verdict of IP address, includes:malicious/suspicious/unknown/benign.
Related threat lables , include attack groups , malware families or security incident information.
This field is a JSON array, where each item contains the following attributes:
- label_type: Tag category, such as "industry", "gangs", "virus_family", etc.
- lables: Specific tags for attack groups or security incidents, for example: APT, OceanLotus, etc.
Indicates whether this IP address is highly active recently.
Indicates whether this IP address has has visited the honeypot.
Threat intelligence in detail — represented as a JSON array. Each item contains the following fields:
- find_time: Time of discovery.
- update_time: Last update time.
- confidence: Confidence score.
- expired: Boolean.
falsemeans the intelligence is still valid;truemeans it has expired. - intel_types: Threat types, represented as an array. The values of the array elements are defined in "Threat Labels".
- intel_tags: Tag information of this intelligence, including related attack groups or security incidents. This is a JSON array where each item follows the same field definition as tag_classes.
Related samples — up to 20 records are returned
This field is a JSON array, where each item contains the following attributes:
- sha256: File hash
- scan_time: Detection time
- ratio: Detection ratio
- malware_type: Malware type
- malware_family: Malware family
ASN information — represented as a JSON object containing the following fields:
- number: ASN number
- info: AS name
- rank: Risk score (0–4, the higher the value, the greater the risk)
SSL-related certificate information — represented as a JSON array. Each item includes the following fields:
- protocol: Protocol
- port: Port information
- period: Period during which the certificate is used on the IP
- digital_certificate: Certificate details
Latest update time of the intelligence.
Number of current resolved domains.
Application scenario, e.g., dedicated enterprise line, data center, etc.
⌘I