Threat Intelligence Lookup — IP & Domain Threat Brief

Incident triage latency grows when analysts manually chain IP reputation, Spamhaus, phishing, and DNSBL tools for every indicator. Aggregated briefs present correlated signals in one JSON or UI view — speeding decisions on block, monitor, or dismiss actions.

Aggregation does not replace human judgment. Conflicting signals — clean Spamhaus with high phishing score on typosquat — require contextual interpretation documented in escalation notes.

Domain path returns phishing object from hostname heuristics — riskScore, riskLevel, signals. dnsbl array shows DBL URIBL ZRD listing status. resolvedIp captures first IPv4 A record when present. ipThreat embeds malware IP checker output for that IPv4 including malwareListHits and infrastructure flags.

emailAuth summarizes SPF and DMARC presence from live DNS — authentication gaps compound distrust on already suspicious hostnames.

IP path merges handleReputation output — fraudScore, detections for DNSBL VPN proxy hosting botnet, blacklist list detail — with handleSpamhaus per-zone results. summary synthesizes fraud score and Spamhaus listed status in one sentence for ticket titles.

Use malware-ip-checker afterward when you need malwareListHits emphasis without fraud score noise.

Valid public domain labels route to domain brief even when input resembles hostnames without scheme. Bare IPv4 routes to IP brief. Invalid labels error before lookup. Clean host input strips URLs and paths before classification.

Subdomain typosquats like login-brand.example.com run domain path with full phishing heuristic analysis.

High phishing riskScore combined with DNSBL listing strongly suggests active campaign infrastructure. Medium phishing with clean DNSBL may indicate reconnaissance registration not yet used. Low phishing with DNSBL hit may reflect compromised legitimate site.

Document signal combinations in tickets rather than relying on summary alone.

When domain resolves to IPv4, ipThreat adds malware-oriented DNSBL and hosting context for hosting IP. CDN domains may show edge IP threat data unrelated to origin abuse.

Cross-check origin IP via origin-ip-finder when CDN obscures resolution when accurate ipThreat matters for takedown.

Each nested signal has a dedicated tool page with deeper SEO guidance and focused result fields. Threat intelligence lookup is the entry point — drill into ip-reputation-checker, spamhaus-lookup, phishing-domain-checker, or domain-blacklist-checker for remediation specifics.

API consumers may call individual actions when brief granularity suffices versus full merge payload size.

Paste indicators from phishing user reports into lookup before sandbox detonation. Blocklist concurrent requests during active campaigns by feeding lookup JSON into SOAR enrichment steps.

Archive brief JSON with ticket closure for metrics on indicator classes over time.

Threat intelligence on third-party indicators must align with organizational policy and law. This tool queries public DNS and data APIs — not intrusive port scanning. AUTHORIZED_PROBE disclaimer applies — investigate only indicators tied to legitimate security operations.

Do not use aggregated briefs for discriminatory profiling of users or automated punishment without review.

Threat actors rotate infrastructure quickly. Brief clean at T zero may list on DNSBL within hours post-campaign. Recheck at incident milestones and after public takedown actions.

Summaries compress state at query time — they are not continuous monitoring. Pair with SIEM correlation rules for persistence.