# IoC Enrichment API (`crawland/ioc-enrichment-api`) Actor Enrich URLs, domains, IPs, and hashes with threat intelligence, related references, malware associations, adversary links, attack techniques, targeted regions, and affected industries. - **URL**: https://apify.com/crawland/ioc-enrichment-api.md - **Developed by:** [Crawland](https://apify.com/crawland) (community) - **Categories:** Automation, Developer tools, Other - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $0.70 / 1,000 ioc enrichments This Actor is paid per event and usage. You are charged both the fixed price for specific events and for Apify platform usage. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## IoC Enrichment API Real-time OSINT enrichment for URLs, file hashes, IPv4 addresses, and domains — adversary attribution, malware families, and MITRE ATT&CK techniques in a single call. ### API Overview IoC Enrichment API is a real-time threat intelligence service that goes beyond verdicts and answers the questions a "malicious / clean" score cannot: - **Who** is using this indicator? - **Which malware family** is it associated with? - **Which MITRE ATT&CK techniques** apply? - **Which industries and countries** are being targeted? Send any of four indicator types — a URL, a file hash (MD5 / SHA-1 / SHA-256), an IPv4 address, or a domain — and get back the consolidated open-source intelligence (OSINT) context that has been associated with it. ### What you get on every request - **`adversaries`** — named threat actors and campaigns that have used this indicator (e.g. *WannaCry Ransomware Group*, *APT-C-35 (DoNot)*). - **`malware_families`** — malware family labels seen alongside this indicator (e.g. *Cobalt Strike*, *Redline*, *Emotet*, *Sality*). - **`attack_ids`** — MITRE ATT&CK technique identifiers with their official titles (e.g. *T1071 — Application Layer Protocol*). - **`tags`** — analyst-applied free-form labels accumulated across all referencing reports. - **`targeted_countries`**, **`industries`** — victimology context derived from the source reports. - **`references`** — links and citations to the public reports, vendor write-ups, and OSINT feeds that mention this indicator. - **IP-only extras** — geolocation (`country_code`, `country_name`, `city`, `asn`, `latitude`, `longitude`). ### What can you do with this API? - 🧠 Add *who* and *why* on top of an *is-it-bad* verdict - 🎯 Pull MITRE ATT&CK technique IDs straight into your detection engineering workflow - 🌍 Filter indicators by targeted industry and country (victimology) - 🔎 Pivot from a single indicator to the malware families and references that mention it - 🛡️ Attribute C2 infrastructure, phishing campaigns, and malware samples to known adversaries ### Response model Every successful request returns: ```json { "is_success": true, "response_code": 200, "message": "Success", "data": { "search_type": "hash", "pulse_detail": { "indicator": "44d88612fea8a8f36de82e1278abb02f", "type": "md5", "adversaries": ["..."], "malware_families": ["..."], "attack_ids": ["T1071 - Application Layer Protocol"], "tags": ["..."], "industries": ["..."], "targeted_countries": ["..."], "references": ["..."] } } } ```` When an indicator can't be processed (e.g. a malformed value), the call still returns HTTP 200 with `is_success: false` and the underlying `response_code` in the body — inspect `is_success` rather than relying on the HTTP status alone. ### Use cases #### GET /url Enrich a URL — malware family associations, adversary attribution, MITRE ATT\&CK techniques, references. *Pro tip: pass the full URL including scheme. URL pulse coverage is sparser than hash / domain / IP — best combined with the other endpoints for the full picture.* #### GET /hash Enrich a file by MD5 / SHA-1 / SHA-256. Returns named adversaries, malware family labels, MITRE ATT\&CK techniques, targeted industries and countries, plus file metadata (size, type, ssdeep). #### GET /ip Enrich an IPv4 address with adversary attribution, malware family context, MITRE techniques, and geolocation (country, city, ASN, latitude / longitude). *IPv6 is not currently supported.* #### GET /domain Enrich a domain — adversary attribution, malware families seen on this domain, MITRE techniques, targeted industries and countries, references to public reports. ### How is this different from IoC Lookup? IoC Lookup answers *"is this dangerous?"* (reputation + vendor verdicts). IoC Enrichment answers *"who is behind it and what TTPs do they use?"* (adversary attribution, malware families, MITRE ATT\&CK IDs). They are complementary — most SOC workflows use both. ### Need something custom or need support? Looking for a different response format, a bulk lookup option, a custom integration, or help with setup? Send us a DM and we'll be happy to support you and help you find the best setup for your use case. # Actor input Schema ## `endpoint` (type: `string`): Which kind of indicator to enrich. Maps to the path in Standby mode (/url, /hash, /ip, /domain). ## `query` (type: `string`): The indicator value to enrich. ## Actor input object example ```json { "endpoint": "hash", "query": "44d88612fea8a8f36de82e1278abb02f" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "query": "44d88612fea8a8f36de82e1278abb02f" }; // Run the Actor and wait for it to finish const run = await client.actor("crawland/ioc-enrichment-api").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "query": "44d88612fea8a8f36de82e1278abb02f" } # Run the Actor and wait for it to finish run = client.actor("crawland/ioc-enrichment-api").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "query": "44d88612fea8a8f36de82e1278abb02f" }' | apify call crawland/ioc-enrichment-api --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=crawland/ioc-enrichment-api", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "IoC Enrichment API", "description": "Enrich URLs, domains, IPs, and hashes with threat intelligence, related references, malware associations, adversary links, attack techniques, targeted regions, and affected industries.", "version": "0.1", "x-build-id": "89gJP8oBvR41Yb9BO" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/crawland~ioc-enrichment-api/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-crawland-ioc-enrichment-api", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/crawland~ioc-enrichment-api/runs": { "post": { "operationId": "runs-sync-crawland-ioc-enrichment-api", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/crawland~ioc-enrichment-api/run-sync": { "post": { "operationId": "run-sync-crawland-ioc-enrichment-api", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "query" ], "properties": { "endpoint": { "title": "Indicator type", "enum": [ "url", "hash", "ip", "domain" ], "type": "string", "description": "Which kind of indicator to enrich. Maps to the path in Standby mode (/url, /hash, /ip, /domain).", "default": "hash" }, "query": { "title": "Query", "type": "string", "description": "The indicator value to enrich." } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```