Check Threat Indicator
Check individual or batch indicators (IPs, domains, hashes, URLs) against the OrbGuard threat intelligence database for known threats.
Check Single Indicator
Query the OrbGuard threat intelligence database for a specific indicator of compromise. Supports domains, IP addresses, file hashes (MD5, SHA1, SHA256), and URLs.
/api/v1/intelligence/checkCheck a single indicator against the threat intelligence database
| Parameter | Type | Required | Description |
|---|---|---|---|
value | string | Required | The indicator value to check (e.g., a domain name, IP address, file hash, or URL) |
type | string | Required | The indicator type. One of: domain, ip, hash, url |
URL Encoding
When checking URLs, make sure to URL-encode the value parameter. For example, https://example.com/path?q=1 should be encoded as https%3A%2F%2Fexample.com%2Fpath%3Fq%3D1.
# Check a domain
curl -X GET "https://guard.orbai.world/api/v1/intelligence/check?value=suspicious-domain.com&type=domain" \
-H "Authorization: Bearer YOUR_API_KEY"
# Check an IP address
curl -X GET "https://guard.orbai.world/api/v1/intelligence/check?value=198.51.100.23&type=ip" \
-H "Authorization: Bearer YOUR_API_KEY"
# Check a file hash
curl -X GET "https://guard.orbai.world/api/v1/intelligence/check?value=e99a18c428cb38d5f260853678922e03&type=hash" \
-H "Authorization: Bearer YOUR_API_KEY"{
"value": "suspicious-domain.com",
"type": "domain",
"is_malicious": true,
"indicator": {
"id": "ioc_7f8a9b2c3d4e",
"value": "suspicious-domain.com",
"type": "domain",
"severity": "high",
"confidence": 92,
"description": "Domain associated with Pegasus C2 infrastructure. Used for initial payload delivery targeting iOS devices.",
"tags": ["pegasus", "c2", "spyware", "ios"],
"platforms": ["ios", "android"],
"source_name": "orbguard-crawlers",
"first_seen": "2025-08-14T06:30:00Z",
"last_seen": "2026-02-07T18:45:00Z",
"mitre_techniques": ["T1566.002", "T1071.001"],
"cve_ids": ["CVE-2023-41064"],
"report_count": 47
}
}{
"value": "safe-domain.com",
"type": "domain",
"is_malicious": false,
"indicator": null
}{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid indicator type. Must be one of: domain, ip, hash, url"
}
}{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing API key"
}
}Batch Check Indicators
Check up to 100 indicators in a single request. This is significantly more efficient than making individual requests when you need to check multiple indicators at once.
/api/v1/intelligence/check/batchBatch check up to 100 indicators against the threat intelligence database
| Parameter | Type | Required | Description |
|---|---|---|---|
indicators | array | Required | Array of indicator objects to check. Each object must contain value (string) and type (string: domain/ip/hash/url). Maximum 100 items. |
Rate Limiting
Batch requests count as a single API call for rate limiting purposes, but the processing time increases with the number of indicators. For optimal performance, keep batches under 50 indicators.
curl -X POST https://guard.orbai.world/api/v1/intelligence/check/batch \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"indicators": [
{"value": "suspicious-domain.com", "type": "domain"},
{"value": "198.51.100.23", "type": "ip"},
{"value": "e99a18c428cb38d5f260853678922e03", "type": "hash"},
{"value": "https://phishing-site.example.com/login", "type": "url"}
]
}'{
"results": [
{
"value": "suspicious-domain.com",
"type": "domain",
"is_malicious": true,
"indicator": {
"id": "ioc_7f8a9b2c3d4e",
"value": "suspicious-domain.com",
"type": "domain",
"severity": "high",
"confidence": 92,
"description": "Domain associated with Pegasus C2 infrastructure.",
"tags": ["pegasus", "c2", "spyware"],
"platforms": ["ios", "android"],
"source_name": "orbguard-crawlers",
"first_seen": "2025-08-14T06:30:00Z",
"last_seen": "2026-02-07T18:45:00Z",
"mitre_techniques": ["T1566.002", "T1071.001"],
"cve_ids": [],
"report_count": 47
}
},
{
"value": "198.51.100.23",
"type": "ip",
"is_malicious": true,
"indicator": {
"id": "ioc_3a4b5c6d7e8f",
"value": "198.51.100.23",
"type": "ip",
"severity": "critical",
"confidence": 98,
"description": "IP address hosting command-and-control server for Predator spyware.",
"tags": ["predator", "c2", "cytrox"],
"platforms": ["android"],
"source_name": "partner-intel",
"first_seen": "2025-03-01T12:00:00Z",
"last_seen": "2026-02-06T09:30:00Z",
"mitre_techniques": ["T1071.001", "T1573.002"],
"cve_ids": ["CVE-2024-31497"],
"report_count": 112
}
},
{
"value": "e99a18c428cb38d5f260853678922e03",
"type": "hash",
"is_malicious": false,
"indicator": null
},
{
"value": "https://phishing-site.example.com/login",
"type": "url",
"is_malicious": true,
"indicator": {
"id": "ioc_9f0e1d2c3b4a",
"value": "https://phishing-site.example.com/login",
"type": "url",
"severity": "high",
"confidence": 88,
"description": "Credential harvesting page mimicking a banking login portal.",
"tags": ["phishing", "credential-harvesting", "banking"],
"platforms": [],
"source_name": "community-feed",
"first_seen": "2026-01-20T15:00:00Z",
"last_seen": "2026-02-07T22:10:00Z",
"mitre_techniques": ["T1566.002"],
"cve_ids": [],
"report_count": 23
}
}
]
}{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Too many indicators. Maximum batch size is 100."
}
}Indicator Types
The type field determines how OrbGuard processes the indicator. Use hash for MD5, SHA1, or SHA256 file hashes -- the system automatically detects the hash algorithm based on the string length.