Skip to main content
GET
/
api
/
indicator.php
Get by Value
curl "https://pulsedive.com/api/indicator.php?indicator=pulsedive.com"
{
  "qid": 123,
  "iid": 123,
  "indicator": "<string>",
  "type": "domain",
  "risk": "unknown",
  "risk_recommended": "unknown",
  "manualrisk": 0,
  "retired": 0,
  "stamp_added": "2025-05-19 14:23:45",
  "stamp_updated": "2025-05-19 14:23:45",
  "stamp_seen": "2025-05-19 14:23:45",
  "stamp_probed": "2025-05-19 14:23:45",
  "stamp_retired": "2025-05-19 14:23:45",
  "recent": 0,
  "submissions": 123,
  "umbrella_rank": 11032,
  "umbrella_domain": "<string>",
  "riskfactors": [
    {
      "rfid": 123,
      "description": "found in threat feeds",
      "risk": "unknown"
    }
  ],
  "redirects": {
    "from": [
      {
        "id": "<string>",
        "indicator": "<string>"
      }
    ],
    "to": [
      {
        "iid": 123,
        "indicator": "<string>"
      }
    ]
  },
  "threats": [
    {
      "tid": 123,
      "name": "Zeus",
      "category": "malware",
      "risk": "unknown",
      "stamp_linked": "2025-05-19 14:23:45"
    }
  ],
  "feeds": [
    {
      "fid": 123,
      "name": "Zeus Bad Domains",
      "category": "malware",
      "organization": "abuse.ch",
      "pricing": "free",
      "stamp_linked": "2025-05-19 14:23:45"
    }
  ],
  "comments": [
    {
      "cid": 123,
      "username": "sherd",
      "title": "Founder",
      "comment": "Have you seen our Pro tier? 😎",
      "stamp_added": "2025-05-19 14:23:45",
      "stamp_updated": "2025-05-19 14:23:45",
      "uid": 123
    }
  ],
  "attributes": {
    "port": [
      [
        "443",
        "80"
      ]
    ],
    "protocol": [
      [
        "HTTP",
        "HTTPS"
      ]
    ],
    "technology": [
      [
        "Apache",
        "jQuery"
      ]
    ]
  },
  "properties": {
    "geo": {
      "countrycode": "US",
      "region": "CA",
      "country": "United States of America",
      "address": "221 Lombard Street",
      "zip": "94102",
      "city": "San Francisco",
      "org": "Pulsedive"
    },
    "whois": {
      "++abuse": "abuse-complaints@squarespace.com",
      "++email": [
        "username1@organization1.org"
      ],
      "++expires": "2025-05-19 14:23:45",
      "++gdpr": "0",
      "++phone": [
        "+1.646-693-5324"
      ],
      "++privacy": "0",
      "++registered": "2025-05-19 14:23:45",
      "++registrant": [
        "Zero Cool",
        "Titan Digital"
      ],
      "++registrar": "Squarespace Domains II LLC",
      "++updated": "2025-05-19 14:23:45",
      "registrant organization": "Titan Digital",
      "name server": [
        "ns1.example.com",
        "ns2.example.com"
      ]
    },
    "http": {
      "++code": "200",
      "++status": "OK",
      "++content-type": "text/html",
      "++base": "https://pulsedive.com/",
      "++target": "http://pulsedive.com/",
      "++redirect": "https://pulsedive.com/",
      "Content-Type": "application/json",
      "Set-Cookie": [
        "sessionid=abc123; Path=/; Secure",
        "userid=42; Path=/; HttpOnly"
      ]
    },
    "ssl": {
      "subject": "/CN=pulsedive.com",
      "domain": [
        [
          "pulsedive.com",
          "www.pulsedive.com"
        ]
      ],
      "version": "v3",
      "org": [
        "WE1",
        "R11"
      ],
      "ip": [
        "162.159.36.1",
        "2606:4700:4700::1001"
      ],
      "issuer": [
        "/C=US/O=Google Trust Services/CN=WE1",
        "/C=US/O=Let's Encrypt/CN=R11"
      ],
      "expires": "2025-05-19 14:23:45",
      "fingerprint": "c47649d46db4cf725334942920ccb076b331a5a60dc3f58608bbf72512d222cd",
      "valid": "2025-05-19 14:23:45",
      "email": "username@pulsedive.com"
    },
    "dns": {
      "a": "142.250.190.14",
      "aaaa": "2607:f8b0:4004:c1b::8e",
      "mx": "alt3.aspmx.l.google.com",
      "ns": [
        "ns1.digitalocean.com",
        "ns2.digitalocean.com",
        "ns3.digitalocean.com"
      ],
      "txt": [
        "v=spf1 include:_spf.google.com ~all",
        "google-site-verification=abc123"
      ]
    },
    "meta": {
      "++title": "Threat Intelligence - Pulsedive",
      "Content-Type": "text/html; charset=UTF-8",
      "og:image": [
        "https://example.com/image1.jpg",
        "https://example.com/image2.jpg"
      ]
    },
    "banners": {
      "22": "SSH-2.0-OpenSSH_7.4\n",
      "143": [
        "* OK [CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED] Dovecot ready.\n",
        "* PREAUTH [CAPABILITY IMAP4rev1 SASL-IR] Logged in as user\n"
      ]
    },
    "cookies": {
      "_ga": "GA1.1.1991921685.1744247816",
      "_ga_g550td8bzn": "GS1.1.1744247869.1.0.1744247869.0.0.0",
      "token": [
        "abc",
        "def"
      ]
    },
    "dom": {
      "screenshot": "https://sandbox.pulsedive.com/screenshots/4179fbe377b84604ba4eaee47f5de9d2.jpeg"
    }
  }
}

Query Parameters

key
string

Your Pulsedive API key.

API key authentication is optional. However, requests without a key have stricter rate limits. We recommend including an API key for better performance and reliability.

indicator
string
required

Value of the indicator to retrieve. May be:

  • a domain name (e.g., microsoft.com)
  • an IP address (e.g., 8.8.8.8)
  • a URL (e.g., https://pulsedive.com/explore)
historical
enum<integer>
default:0

Indicates whether to return indicator properties as they appeared in previous scans. Use to analyze trends or audit historical threat activity.

For historical data, set to 1. For recent data, set to 0.

Available options:
0,
1
schema
enum<integer>
default:0

Indicates whether to return attributes associated with the indicator type you are querying.

To return associated attributes, set to 1. To return default data, set to 0.

Available options:
0,
1
pretty
enum<integer>
default:0

Indicates whether to format returned JSON results.

For pretty-printed output, set to 1. For compact output, set to 0.

Available options:
0,
1

Response

Successful request. Returns indicator information in JSON format.

qid
integer | null

Unique identifier of an associated previous submission request, if available.

iid
integer

Unique identifier of the indicator.

indicator
string

Value of the indicator.

type
enum<string>

Type of indicator.

Available options:
domain,
ip,
url
risk
enum<string>

Final risk score for the indicator.

If the risk score has been manually adjusted, this value may differ from the recommended risk score. In this case, manualrisk is set to 1.

Available options:
unknown,
very low,
low,
medium,
high,
critical
risk_recommended
enum<string>

Recommended risk level based on Pulsedive automated risk scoring.

Available options:
unknown,
very low,
low,
medium,
high,
critical
manualrisk
enum<integer>

Indicates whether the risk score has been manually adjusted.

When set to 1, the risk score has been manually adjusted. When set to 0, the risk score reflects Pulsedive's automated assessment.

Available options:
0,
1
retired
enum<integer> | null

Indicates whether this indicator is inactive or obsolete.

An indicator is automatically retired if, in the past three months, it has not been:

  • Reported using the Seen button in the Pulsedive UI
  • Observed in any source feeds
  • Submitted through the Analyze section of the Pulsedive UI

Pulsedive research can also retire indicators manually.

When set to 1, this indicator is retired. When set to 0, this indicator is active.

Available options:
0,
1
stamp_added
string<sql-date-time> | null

Timestamp when the indicator was first added to Pulsedive. 24-hour format, UTC time zone.

Pattern: ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$
Example:

"2025-05-19 14:23:45"

stamp_updated
string<sql-date-time> | null

Timestamp when the indicator record was last updated in Pulsedive. 24-hour format, UTC time zone.

Pattern: ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$
Example:

"2025-05-19 14:23:45"

stamp_seen
string<sql-date-time> | null

Timestamp when the indicator was last reported or seen in feeds or user submissions in Pulsedive. 24-hour format, UTC time zone.

Pattern: ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$
Example:

"2025-05-19 14:23:45"

stamp_probed
string<sql-date-time> | null

Timestamp when the indicator was last actively scanned (probed) by Pulsedive. 24-hour format, UTC time zone.

Pattern: ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$
Example:

"2025-05-19 14:23:45"

stamp_retired
string<sql-date-time> | null

Timestamp when the indicator was retired in Pulsedive, if applicable. 24-hour format, UTC time zone.

Pattern: ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$
Example:

"2025-05-19 14:23:45"

recent
enum<integer>

Indicates whether this indicator has had recent activity. Deprecated and non-functional.

When set to 1, the indicator has had recent activity. When set to 0, the indicator has not had recent activity.

Available options:
0,
1
submissions
integer

Number of times the indicator has been submitted by any user.

umbrella_rank
integer

Rank of the indicator on Cisco Umbrella's top one million domains list. This list reflects the most frequently queried domains, based on passive DNS data across Cisco's global Umbrella network.

Example:

11032

umbrella_domain
string

Canonical (base) domain as recognized by Cisco Umbrella. Populated when umbrella_rank is present.

riskfactors
object[]

List of risk factors influencing this indicator's score.

redirects
object

Redirect relationships involving this indicator.

threats
object[]

Known threats associated with this indicator.

feeds
object[]

Threat intelligence feeds that reference this indicator.

comments
object[]

Comments submitted by Pulsedive contributors for this indicator.

attributes
object

Technical metadata observed for this indicator.

properties
object

Detailed sub-properties for this indicator, grouped by type or data source.