Get an indicator of compromise

v2 (latest)

Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.

GET https://api.ap1.datadoghq.com/api/v2/security/siem/ioc-explorer/indicatorhttps://api.ap2.datadoghq.com/api/v2/security/siem/ioc-explorer/indicatorhttps://api.datadoghq.eu/api/v2/security/siem/ioc-explorer/indicatorhttps://api.ddog-gov.com/api/v2/security/siem/ioc-explorer/indicatorhttps://api.us2.ddog-gov.com/api/v2/security/siem/ioc-explorer/indicatorhttps://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicatorhttps://api.us3.datadoghq.com/api/v2/security/siem/ioc-explorer/indicatorhttps://api.us5.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator

Overview

Get detailed information about a specific indicator of compromise (IoC).

OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

Arguments

Query Strings

Name

Type

Description

indicator [required]

string

The indicator value to look up (for example, an IP address or domain).

Response

Response for the get indicator of compromise endpoint.

Expand All

Field

Type

Description

data

object

IoC indicator response data object.

attributes

object

Attributes of the get indicator response.

data

object

An indicator of compromise with extended context from your environment.

{
  "data": {
    "attributes": {
      "data": {
        "additional_data": {},
        "as_cidr_block": "string",
        "as_geo": {
          "city": "string",
          "country_code": "string",
          "country_name": "string"
        },
        "as_number": "string",
        "as_organization": "string",
        "as_type": "string",
        "benign_sources": [
          {
            "name": "string"
          }
        ],
        "categories": [],
        "critical_assets": [],
        "first_seen": "2019-09-19T10:00:00.000Z",
        "hosts": [],
        "id": "string",
        "indicator": "string",
        "indicator_type": "string",
        "last_seen": "2019-09-19T10:00:00.000Z",
        "log_matches": "integer",
        "log_sources": [],
        "m_as_type": "string",
        "m_persistence": "string",
        "m_signal": "string",
        "m_sources": "string",
        "malicious_sources": [
          {
            "name": "string"
          }
        ],
        "max_trust_score": "string",
        "score": "number",
        "services": [],
        "signal_matches": "integer",
        "signal_severity": [
          {
            "count": "integer",
            "severity": "string"
          }
        ],
        "signal_tier": "integer",
        "suspicious_sources": [
          {
            "name": "string"
          }
        ],
        "tags": [],
        "users": {
          "<any-key>": []
        }
      }
    },
    "id": "string",
    "type": "string"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Required query arguments
export indicator="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=${indicator}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get an indicator of compromise returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["get_indicator_of_compromise"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_indicator_of_compromise(
        indicator="masscan/1.3 (https://github.com/robertdavidgraham/masscan)",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get an indicator of compromise returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.get_indicator_of_compromise".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_indicator_of_compromise("masscan/1.3 (https://github.com/robertdavidgraham/masscan)")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get an indicator of compromise returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.GetIndicatorOfCompromise", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetIndicatorOfCompromise(ctx, "masscan/1.3 (https://github.com/robertdavidgraham/masscan)")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetIndicatorOfCompromise`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetIndicatorOfCompromise`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get an indicator of compromise returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetIoCIndicatorResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.getIndicatorOfCompromise", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetIoCIndicatorResponse result =
          apiInstance.getIndicatorOfCompromise(
              "masscan/1.3 (https://github.com/robertdavidgraham/masscan)");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getIndicatorOfCompromise");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get an indicator of compromise returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.GetIndicatorOfCompromise", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_indicator_of_compromise(
            "masscan/1.3 (https://github.com/robertdavidgraham/masscan)".to_string(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get an indicator of compromise returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.getIndicatorOfCompromise"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetIndicatorOfCompromiseRequest = {
  indicator: "masscan/1.3 (https://github.com/robertdavidgraham/masscan)",
};

apiInstance
  .getIndicatorOfCompromise(params)
  .then((data: v2.GetIoCIndicatorResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get an indicator of compromise

Overview

Arguments

Query Strings

Response

Code Example

Get an indicator of compromise

Get an indicator of compromise

Instructions

Get an indicator of compromise

Instructions

Get an indicator of compromise

Instructions

Get an indicator of compromise

Instructions

Get an indicator of compromise

Instructions

Get an indicator of compromise

Instructions

How can I help you today?