DIResearch API | Domain Intelligence Docs

Endpoints

GET /v1/diresearch

List Domain Intelligence research hosts by time window.

GET /v1/diresearch/{host}

Check one Domain Intelligence research host over the same time window.

Authentication

Use a client API key assigned to the diresearch API group. Keys are bearer secrets and should never be sent in URLs, logs, or screenshots.

Authorization: Bearer <api-key>

Use X-API-Key for clients that require header-key auth.

X-API-Key: <api-key>

Example request

curl --compressed \
  -H "Authorization: Bearer <api-key>" \
  "https://api.domainintelligence.uk/v1/diresearch?window_days=14&page=1&limit=100"

Query parameters

Name	Type	Default	Notes
`host`	string	none	Optional list filter. Lowercased and trimmed. A trailing dot is removed.
`window_days` or `windowDays`	integer	`14`	Positive integer, maximum `90`. Uses UTC midnight boundaries.
`start_at` or `startAt`	timestamp or date	none	Must be sent with `end_at`. Accepts RFC3339, RFC3339Nano, or `YYYY-MM-DD`.
`end_at` or `endAt`	timestamp or date	none	Must be after `start_at`. Custom periods are limited to 90 days.
`page`	integer	`1`	Positive page number.
`limit`	integer	`100`	Positive integer, maximum `5000`.

FeedRow schema

Field	Type	Notes
`feedType`	string	Export feed category: `c2`, `distribution`, or `unknown`.
`reviewStatus`	string	Host status, normally `allow` or `auto_allow`.
`host`	string	Domain or IP host.
`sources`	string array	Source labels observed for the host in the selected window. Values are `malwareSample`, `OSINT`, and `Manual`. A host can have more than one source.
`families`	string array	Normalized family names.
`seenAt`	timestamp	Latest activity timestamp used for ordering and window filters.
`firstSeen`	timestamp, optional	First available activity timestamp for the host.
`lastSeen`	timestamp, optional	Last available activity timestamp for the host.
`ports`	FeedPort array	Port-level sample groups when present.
`dnsStatus`	string, optional	Current DNS disposition.
`resolvedIps`	string array	Resolved IP addresses known for the host.
`country`	string, optional	Country from network enrichment data.
`asn`	integer, optional	ASN number when known.
`asOrg`	string, optional	ASN organization when known.
`infraType`	string, optional	Infrastructure type when known.
`DNSHits`	integer	30-day DNS block count.
`circlHits`	integer	Passive DNS total count.

Nested schemas

FeedPort {
  "port": 443,
  "families": [FeedPortFamily]
}

FeedPortFamily {
  "family": "loader",
  "samples": [FeedSample]
}

FeedSample {
  "sha256": "0123456789abcdef...",
  "firstSeen": "2026-06-18T13:12:10Z",
  "lastSeen": "2026-06-19T23:29:02Z"
}

Pagination schema

{
  "page": 1,
  "limit": 100,
  "prev_page": 0,
  "next_page": 2,
  "has_prev": false,
  "has_next": true,
  "total_rows": 417,
  "total_pages": 5,
  "start_row": 1,
  "end_row": 100,
  "approximate_total": false
}

Response examples

List response

{
  "rows": [
    {
      "feedType": "unknown",
      "reviewStatus": "allow",
      "host": "example-diresearch.test",
      "sources": ["malwareSample", "OSINT"],
      "families": ["loader"],
      "seenAt": "2026-06-19T23:29:02Z",
      "firstSeen": "2026-06-18T13:12:10Z",
      "lastSeen": "2026-06-19T23:29:02Z",
      "ports": [
        {
          "port": 443,
          "families": [
            {
              "family": "loader",
              "samples": [
                {
                  "sha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
                  "firstSeen": "2026-06-18T13:12:10Z",
                  "lastSeen": "2026-06-19T23:29:02Z"
                }
              ]
            }
          ]
        }
      ],
      "dnsStatus": "blocked",
      "resolvedIps": ["203.0.113.10"],
      "country": "US",
      "asn": 64500,
      "asOrg": "Example Network",
      "infraType": "hosting",
      "DNSHits": 52,
      "circlHits": 18
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 100,
    "prev_page": 0,
    "next_page": 2,
    "has_prev": false,
    "has_next": true,
    "total_rows": 417,
    "total_pages": 5,
    "start_row": 1,
    "end_row": 100,
    "approximate_total": false
  },
  "filters": {
    "windowDays": 14,
    "startAt": "2026-06-06T00:00:00Z",
    "endAt": "2026-06-20T00:00:00Z",
    "page": 1,
    "limit": 100
  }
}

Host lookup response

{
  "host": "example-diresearch.test",
  "found": true,
  "row": {
    "feedType": "unknown",
    "reviewStatus": "allow",
    "host": "example-diresearch.test",
    "sources": ["Manual"],
    "families": ["loader"],
    "seenAt": "2026-06-19T23:29:02Z",
    "ports": [],
    "resolvedIps": [],
    "DNSHits": 0,
    "circlHits": 0
  },
  "filters": {
    "host": "example-diresearch.test",
    "windowDays": 14,
    "startAt": "2026-06-06T00:00:00Z",
    "endAt": "2026-06-20T00:00:00Z",
    "page": 1,
    "limit": 1
  }
}

Error responses

{
  "error": {
    "code": "validation_error",
    "message": "limit must be 5000 or less",
    "request_id": "optional-request-id"
  }
}

Status	Code	Meaning
`400`	`validation_error`	A query parameter or host value is invalid.
`401`	`missing_auth` or `bad_auth`	The API key is missing or invalid.
`403`	`forbidden`	The API key needs the `diresearch` group.
`404`	`not_found`	No host matched the selected window.
`405`	`method_not_allowed`	Use a listed HTTP method for the endpoint.
`500`	`internal_error`	The API failed to complete the request.