---
title: "Threat Check API Cases"
slug: "threatcheck-api-cases"
tags: ["Email Filtering", "SIEM Integration", "Threat Check API"]
updated: 2026-01-26T19:19:27Z
published: 2026-01-26T19:19:27Z
canonical: "help.silentpush.com/threatcheck-api-cases"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.silentpush.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Threat Check API Cases

The Threat Check API enables quick, reliable checks against Silent Push's Indicators of Future Attack (IOFA™) feeds. Integrate it into your workflows to gain actionable threat intelligence. Focused on our core use cases, **Insight** (visibility and analysis), **Defender** (protection and response), and **Reconnaissance** (proactive scouting), this guide shows simple ways to leverage the API. For all integrations, send a request with your user identifier key and an indicator, then parse the Boolean response to act accordingly.

## Prerequisites

To get started, ensure you have:

- An active Silent Push Enterprise subscription.
- A unique Access Key for authentication.
- Network access allowing outbound HTTPS requests to `https://api.threatcheck.silentpush.com/v1/`.

> [!NOTE]
> Note: Your Access Key is masked by default for security.

![](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/image(67).png)

### View Your Access Key

1. From your user icon in the Silent Push platform, select **Subscription**.
2. In the **Threat Check API** section, view or copy the provided access key.

## Implementation Basics

Follow these steps for any use case:

1. Copy your user identifier key from the **Subscription** page.
2. Use query parameters:

Example URL: `https://api.threatcheck.silentpush.com/v1/?t=ip&amp;d=iofa&amp;u=YOUR_KEY&amp;q=192.168.1.10`
  - `t`: Set to `ip` (or other supported types like `domain`).
  - `d`: Set to `iofa` (data source).
  - `u`: Your user identifier key.
  - `q`: The target indicator (e.g., IP address).
3. Check the `is_listed` field in the JSON:
  - `true`: Indicator is on an IOFA feed—take protective action.
  - `false`: Indicator is clean—proceed normally.
4. Based on the response, block, alert, or investigate.

### Example cURL Request

```plaintext
curl -X GET "https://api.threatcheck.silentpush.com/v1/?t=ip&d=iofa&u=12345&q=192.168.1.10"
```

### Example Response

```plaintext
{
  "query": "192.168.1.10",
  "is_listed": true,
  "listed_txt": "This IP is on the IOFA feed."
}
```

## Use Case: Gain Visibility and Analyze Threats

Use ThreatCheck for real-time insights into potential threats during log analysis or monitoring. For example, integrate with SIEM systems to enrich alerts with IOFA data.

### Step-by-Step Integration

- Configure a SIEM rule to extract indicators (e.g., IPs from Firewall logs) and query the API.
- Send the request as described above.
- If `is_listed: true`, enrich the alert with details for deeper analysis, e.g., by correlating with other logs or triggering a dashboard update.
- If `false`, dismiss low-priority events to focus on real risks.

**Pro Tip:** Automate periodic scans of high-volume logs to enable proactive threat hunting and turn Raw Data into actionable insights.

## Use Case: Protect and Respond to Threats

Deploy ThreatCheck in defensive workflows, such as email filtering, to block or quarantine risks before they impact your network.

### Step-by-Step Integration

- During inbound email processing, extract sender domains or IPs and query the API.
- Send the request with the indicator.
- If `is_listed: true`, route the email to quarantine, block it, or flag it for manual review.
- If `false`, allow delivery to maintain smooth operations.

**Pro Tip:** Combine with endpoint protection tools for layered defense—e.g., block traffic from listed IPs at the firewall level.

## Use Case: Proactive Scouting and Investigation

Leverage Threat Check for reconnaissance in high-volume scenarios, such as DNS-based checks during network reconnaissance or threat intel gathering.

### Step-by-Step Integration

- Configure DNS resolvers or scripts to handle queries against IOFA feeds via the API.
- Batch indicators (e.g., from reconnaissance scans) and send requests.
- If `is_listed: true`, prioritize for investigation, e.g., map infrastructure or alert on emerging threats.
- If `false`, clear benign indicators to refine your scope.

This is ideal for SOC teams scouting ahead; use in scripts for automated domain/IP vetting during vulnerability assessments.

For DNS-based setups in high-volume environments, configure systems to minimize HTTP overhead while still parsing responses efficiently. Always test integrations in a staging environment to ensure seamless operation.

An API endpoint for performing real-time lookups of threat indicators, such as IPs or domains, to assess risk and integrate with security tools.

The IP address or subnet used in typosquatting queries to identify domains mimicking legitimate ones, aiding in the detection of phishing or fraudulent infrastructure.

A security device or software that monitors and controls network traffic based on predefined rules, protecting systems from unauthorized access or malicious activities.

Unprocessed query results in JSON format, containing detailed threat intelligence data for further analysis or integration.