API Documentation
Comprehensive guides and API references for integrating AntiBait's email threat detection into your applications.
IOC Threat Graph
PremiumBuild relationship graphs for threat actor mapping and infrastructure visualization. Returns nodes and edges ready for graph visualization libraries.
API Endpoint
GET/api/iocs/graphQuery Parameters
iocValue: string (required)
// The IOC value to center the graph on
iocType?: string
// Filter by specific IOC type
depth?: number (default: 2, max: 3)
// Graph traversal depthResponse
{
"success": true,
"data": {
"nodes": [...],
"edges": [...]
},
"metadata": {
"totalNodes": number,
"totalEdges": number,
"depth": number
}
}Example Request
Request
GET /api/iocs/[email protected]&iocType=email&depth=2
Authorization: Bearer YOUR_API_KEYResponse
{
"success": true,
"data": {
"nodes": [
{
"id": "email:[email protected]",
"type": "email",
"value": "[email protected]",
"isMalicious": true,
"threatScore": 95,
"occurrenceCount": 47,
"firstSeen": "2025-10-15T08:20:00Z",
"lastSeen": "2025-11-03T10:30:00Z"
},
{
"id": "domain:evil.com",
"type": "domain",
"value": "evil.com",
"isMalicious": true,
"threatScore": 92,
"occurrenceCount": 52,
"firstSeen": "2025-10-15T08:20:00Z",
"lastSeen": "2025-11-03T10:30:00Z"
},
{
"id": "ip:203.0.113.1",
"type": "ip",
"value": "203.0.113.1",
"isMalicious": true,
"threatScore": 88,
"occurrenceCount": 38,
"firstSeen": "2025-10-20T12:00:00Z",
"lastSeen": "2025-11-02T18:45:00Z"
},
{
"id": "url:https://evil.com/phishing",
"type": "url",
"value": "https://evil.com/phishing",
"isMalicious": true,
"threatScore": 90,
"occurrenceCount": 31,
"firstSeen": "2025-10-18T14:30:00Z",
"lastSeen": "2025-11-01T16:20:00Z"
}
],
"edges": [
{
"id": "email:[email protected]_uses_domain-domain:evil.com",
"source": "email:[email protected]",
"target": "domain:evil.com",
"relationshipType": "email_uses_domain"
},
{
"id": "email:[email protected]_from_ip-ip:203.0.113.1",
"source": "email:[email protected]",
"target": "ip:203.0.113.1",
"relationshipType": "sent_from_ip"
},
{
"id": "url:https://evil.com/phishing-url_contains_domain-domain:evil.com",
"source": "url:https://evil.com/phishing",
"target": "domain:evil.com",
"relationshipType": "url_contains_domain"
}
]
},
"metadata": {
"totalNodes": 4,
"totalEdges": 3,
"depth": 2
}
}Node Structure
idstringUnique node identifier in format "type:value"
typestringIOC type (email, domain, ip, url, etc.)
valuestringThe actual IOC value
isMaliciousbooleanWhether the IOC is marked as malicious
threatScorenumberThreat score (0-100)
occurrenceCountnumberNumber of times this IOC has been observed
firstSeendatetimeTimestamp when IOC was first observed
lastSeendatetimeTimestamp when IOC was last observed
Edge Structure
idstringUnique edge identifier
sourcestringSource node ID (in format "type:value")
targetstringTarget node ID (in format "type:value")
relationshipTypestringType of relationship (e.g., "email_uses_domain", "sent_from_ip", "url_contains_domain")
Compatible Visualization Libraries
D3.js
Force-directed graphs and custom visualizations
Cytoscape.js
Network analysis and visualization
vis.js
Interactive network graphs
Sigma.js
Large-scale graph rendering
Use Cases
Visualize connections between attacker infrastructure and identify threat actor networks
Map malicious infrastructure to understand attack patterns and shared resources
Trace relationships during security incidents to discover related IOCs
Identify and block entire malicious infrastructure networks before they attack
This endpoint requires a valid API key. Include your API key in the Authorization header as a Bearer token.
Graph depth is limited to 3 levels to prevent excessive queries. For highly connected IOCs, start with depth=1 or depth=2 and expand selectively.
Need help integrating our API? Our support team is here to assist you.