--- title: Get an indicator of compromise description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Get an indicator of compromise{% #get-an-indicator-of-compromise %} Copy pageCopied {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/siem/ioc-explorer/indicator | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/siem/ioc-explorer/indicator | | us2.ddog-gov.com | GET https://api.us2.ddog-gov.com/api/v2/security/siem/ioc-explorer/indicator | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator | ### Overview Get detailed information about a specific indicator of compromise (IoC). OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | --------------------------- | ------- | ----------------------------------------------------------------------------------------------------- | | indicator [*required*] | string | The indicator value to look up (for example, an IP address or domain). | | ocsf | boolean | When true, return only OCSF field-based matches. When false, return regex/message-based matches. | | include_triage_history | boolean | Include full triage history for the indicator. | | triage_history_limit | integer | Maximum number of triage history events returned. Only applied when `include_triage_history` is true. | | triage_history_offset | integer | Pagination offset into the triage history. Only applied when `include_triage_history` is true. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response for the get indicator of compromise endpoint. | Parent field | Field | Type | Description | | -------------------- | ------------------ | --------- | -------------------------------------------------------------------------------------------------------------------- | | | data | object | IoC indicator response data object. | | data | attributes | object | Attributes of the get indicator response. | | attributes | data | object | An indicator of compromise with extended context from your environment. | | data | additional_data | object | Additional domain-specific context from threat intelligence sources. | | data | as_cidr_block | string | Autonomous system CIDR block. | | data | as_geo | object | Geographic location information for an IP indicator. | | as_geo | city | string | City name. | | as_geo | country_code | string | ISO country code. | | as_geo | country_name | string | Full country name. | | data | as_number | string | Autonomous system number. | | data | as_organization | string | Autonomous system organization name. | | data | as_type | string | Autonomous system type. | | data | benign_sources | [object] | Threat intelligence sources that flagged this indicator as benign. | | benign_sources | name | string | Name of the threat intelligence source. | | data | categories | [string] | Threat categories associated with the indicator. | | data | critical_assets | [string] | Critical assets associated with this indicator. | | data | first_seen | date-time | Timestamp when the indicator was first seen. | | data | hosts | [string] | Hosts associated with this indicator. | | data | id | string | Unique identifier for the indicator. | | data | indicator | string | The indicator value (for example, an IP address or domain). | | data | indicator_type | string | Type of indicator (for example, IP address or domain). | | data | last_seen | date-time | Timestamp when the indicator was last seen. | | data | log_matches | int64 | Number of logs that matched this indicator. | | data | log_sources | [string] | Log sources where this indicator was observed. | | data | m_as_type | enum | Effect of a scoring factor on the indicator's threat score. Allowed enum values: `RAISE_SCORE,LOWER_SCORE,NO_EFFECT` | | data | m_persistence | enum | Effect of a scoring factor on the indicator's threat score. Allowed enum values: `RAISE_SCORE,LOWER_SCORE,NO_EFFECT` | | data | m_signal | enum | Effect of a scoring factor on the indicator's threat score. Allowed enum values: `RAISE_SCORE,LOWER_SCORE,NO_EFFECT` | | data | m_sources | enum | Effect of a scoring factor on the indicator's threat score. Allowed enum values: `RAISE_SCORE,LOWER_SCORE,NO_EFFECT` | | data | malicious_sources | [object] | Threat intelligence sources that flagged this indicator as malicious. | | malicious_sources | name | string | Name of the threat intelligence source. | | data | max_trust_score | enum | Effect of a scoring factor on the indicator's threat score. Allowed enum values: `RAISE_SCORE,LOWER_SCORE,NO_EFFECT` | | data | score | double | Threat score for the indicator (0-100). | | data | services | [string] | Services where this indicator was observed. | | data | signal_matches | int64 | Number of security signals that matched this indicator. | | data | signal_severity | [object] | Breakdown of security signals by severity. | | signal_severity | count | int64 | Number of signals at this severity level. | | signal_severity | severity | string | Severity level (for example, critical, high, medium, low, info). | | data | signal_tier | int64 | Signal tier level. | | data | suspicious_sources | [object] | Threat intelligence sources that flagged this indicator as suspicious. | | suspicious_sources | name | string | Name of the threat intelligence source. | | data | tags | [string] | Tags associated with the indicator. | | data | triage_history | [object] | Full triage history timeline. Returned only when `include_triage_history` is true. | | triage_history | triage_state | enum | Current triage state of the indicator. Allowed enum values: `not_reviewed,reviewed` | | triage_history | triaged_at | date-time | Timestamp when this triage action occurred. | | triage_history | triaged_by | string | UUID of the user who performed this triage action. | | data | triage_state | enum | Current triage state of the indicator. Allowed enum values: `not_reviewed,reviewed` | | data | triaged_at | date-time | Timestamp when the indicator was last triaged. | | data | triaged_by | string | UUID of the user who last triaged the indicator. | | data | users | object | Users associated with this indicator, grouped by category. | | additionalProperties | | [string] | List of user identifiers in this category. | | data | id | string | Unique identifier for the response. | | data | type | string | Response type identifier. | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "data": { "additional_data": {}, "as_cidr_block": "string", "as_geo": { "city": "string", "country_code": "string", "country_name": "string" }, "as_number": "string", "as_organization": "string", "as_type": "string", "benign_sources": [ { "name": "string" } ], "categories": [], "critical_assets": [], "first_seen": "2019-09-19T10:00:00.000Z", "hosts": [], "id": "string", "indicator": "string", "indicator_type": "string", "last_seen": "2019-09-19T10:00:00.000Z", "log_matches": "integer", "log_sources": [], "m_as_type": "string", "m_persistence": "string", "m_signal": "string", "m_sources": "string", "malicious_sources": [ { "name": "string" } ], "max_trust_score": "string", "score": "number", "services": [], "signal_matches": "integer", "signal_severity": [ { "count": "integer", "severity": "string" } ], "signal_tier": "integer", "suspicious_sources": [ { "name": "string" } ], "tags": [], "triage_history": [ { "triage_state": "not_reviewed", "triaged_at": "2019-09-19T10:00:00.000Z", "triaged_by": "string" } ], "triage_state": "not_reviewed", "triaged_at": "2019-09-19T10:00:00.000Z", "triaged_by": "string", "users": { "": [] } } }, "id": "string", "type": "string" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Required query arguments export indicator="CHANGE_ME" \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=${indicator}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get an indicator of compromise returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_indicator_of_compromise"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_indicator_of_compromise( indicator="masscan/1.3 (https://github.com/robertdavidgraham/masscan)", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get an indicator of compromise returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_indicator_of_compromise".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_indicator_of_compromise("masscan/1.3 (https://github.com/robertdavidgraham/masscan)") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get an indicator of compromise returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetIndicatorOfCompromise", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetIndicatorOfCompromise(ctx, "masscan/1.3 (https://github.com/robertdavidgraham/masscan)") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetIndicatorOfCompromise`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetIndicatorOfCompromise`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get an indicator of compromise returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.GetIoCIndicatorResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getIndicatorOfCompromise", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetIoCIndicatorResponse result = apiInstance.getIndicatorOfCompromise( "masscan/1.3 (https://github.com/robertdavidgraham/masscan)"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getIndicatorOfCompromise"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get an indicator of compromise returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetIndicatorOfCompromise", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_indicator_of_compromise( "masscan/1.3 (https://github.com/robertdavidgraham/masscan)".to_string(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get an indicator of compromise returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getIndicatorOfCompromise"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetIndicatorOfCompromiseRequest = { indicator: "masscan/1.3 (https://github.com/robertdavidgraham/masscan)", }; apiInstance .getIndicatorOfCompromise(params) .then((data: v2.GetIoCIndicatorResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}