ThreatCheck API Cases

The ThreatCheck API enables quick, reliable checks against Silent Push's Indicators of Future Attack (IOFA™) feeds. Integrate it into your workflows to gain actionable threat intelligence. Focused on our core use cases, Insight (visibility and analysis), Defender (protection and response), and Reconnaissance (proactive scouting), this guide shows simple ways to leverage the API. For all integrations, send a request with your user identifier key and an indicator, then parse the Boolean response to act accordingly.

Prerequisites

To get started, ensure you have:

An active Silent Push Enterprise subscription.
A unique Access Key for authentication.
Network access allowing outbound HTTPS requests to https://api.threatcheck.silentpush.com/v1/.

Note
Your Access Key is masked by default for security.

View Your Access Key

From your user icon in the Silent Push platform, select Subscription.
In the ThreatCheck API section, view or copy the provided access key.

Implementation Basics

Follow these steps for any use case:

Copy your user identifier key from the Subscription page.
Use query parameters:
- t: Set to ip (or other supported types like domain).
- d: Set to iofa (data source).
- u: Your user identifier key.
- q: The target indicator (e.g., IP address).
Example URL: https://api.threatcheck.silentpush.com/v1/?t=ip&d=iofa&u=YOUR_KEY&q=192.168.1.10
Check the is_listed field in the JSON:
- true: Indicator is on an IOFA feed—take protective action.
- false: Indicator is clean—proceed normally.
Based on the response, block, alert, or investigate.

Example cURL Request

curl -X GET "https://api.threatcheck.silentpush.com/v1/?t=ip&d=iofa&u=12345&q=192.168.1.10"

Example Response

{
  "query": "192.168.1.10",
  "is_listed": true,
  "listed_txt": "This IP is on the IOFA feed."
}

Use Case: Gain Visibility and Analyze Threats

Use ThreatCheck for real-time insights into potential threats during log analysis or monitoring. For example, integrate with SIEM systems to enrich alerts with IOFA data.

Step-by-Step Integration

Configure a SIEM rule to extract indicators (e.g., IPs from firewall logs) and query the API.
Send the request as described above.
If is_listed: true, enrich the alert with details for deeper analysis—e.g., correlate with other logs or trigger a dashboard update.
If false, dismiss low-priority events to focus on real risks.

Pro Tip: Automate periodic scans of high-volume logs for proactive threat hunting, turning raw data into actionable insights.

Use Case: Protect and Respond to Threats

Deploy ThreatCheck in defensive workflows, such as email filtering, to block or quarantine risks before they impact your network.

Step-by-Step Integration

During inbound email processing, extract sender domains or IPs and query the API.
Send the request with the indicator.
If is_listed: true, route the email to quarantine, block it, or flag it for manual review.
If false, allow delivery to maintain smooth operations.

Pro Tip: Combine with endpoint protection tools for layered defense—e.g., block traffic from listed IPs at the firewall level.

Use Case: Proactive Scouting and Investigation

Leverage ThreatCheck for reconnaissance in high-volume scenarios, such as DNS-based checks during network reconnaissance or threat intel gathering.

Step-by-Step Integration

Configure DNS resolvers or scripts to handle queries against IOFA feeds via the API.
Batch indicators (e.g., from reconnaissance scans) and send requests.
If is_listed: true, prioritize for investigation—e.g., map infrastructure or alert on emerging threats.
If false, clear benign indicators to refine your scope.

This is ideal for SOC teams scouting ahead; use in scripts for automated domain/IP vetting during vulnerability assessments.

For DNS-based setups in high-volume environments, configure systems to minimize HTTP overhead while still parsing responses efficiently. Always test integrations in a staging environment to ensure seamless operation.