{"_id":"581a1006fe3a8e0f00ba358e","category":{"_id":"5615790d0f5ed00d00483dd5","__v":19,"pages":["5615790e0f5ed00d00483dd7","561d48e46386060d00e06003","561d48fe31d9630d001eb5bd","561d49b657165b0d00aa5d8b","561d4a879463520d00cd11e2","561d67f48ca8b90d00210234","561d6a0bf0cff80d00ca22c3","561d6c5b071cd60d000d3221","562f9c2543c5570d001fe6bd","56311c99eae7ef0d00270e3d","56311d6702aff217007dba23","56311f96f1c0580d00fac719","563120b7242cda1900198b79","5631229bf1c0580d00fac721","563131559ead230d00a188f6","563134a324014b0d00bd9a4f","5631392082d96a0d00b0fb1d","56313c584b36120d00fdebfb","5642658ef424a10d00118360"],"project":"5615790c0f5ed00d00483dd1","version":"5615790d0f5ed00d00483dd4","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-07T19:57:01.871Z","from_sync":false,"order":0,"slug":"opendns-investigate-rest-api","title":"Umbrella Investigate REST API"},"project":"5615790c0f5ed00d00483dd1","__v":0,"user":"560b40145148ba0d009bd0b5","parentDoc":null,"version":{"_id":"5615790d0f5ed00d00483dd4","__v":6,"project":"5615790c0f5ed00d00483dd1","createdAt":"2015-10-07T19:57:01.307Z","releaseDate":"2015-10-07T19:57:01.307Z","categories":["5615790d0f5ed00d00483dd5","56157b2af432910d0000f9fe","56157cfb0f5ed00d00483ddb","562684d95db46b1700fd4f48","573b7ea9ef164e2900a2b8ff","582e285d8373c20f00810608"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-11-02T16:10:46.272Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":10,"body":"This API method returns a list of co-occurences for the specified domain. A co-occurrence is when two or more domains are being accessed by the same users within a small window of time. Being a co-occurrence isn't necessarily a bad thing, legitimate sites co-occur with each other as a part of normal web activity. However, unusual or suspicious co-occurence can provide additional information regarding attacks.\n\nTo determine co-occurrences for a domain, a small time window of traffic across all of our datacenters is taken. Then, we look at the sites that end users were visiting before and after the domain requested in the API call. \n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/recommendations/name/malware.com.json\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n### Parameter for input ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"String\",\n    \"0-0\": \"name\",\n    \"0-1\": \"string\",\n    \"0-2\": \"Domain name\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n### Returned value for output if Success 200 ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"pfs2\",\n    \"0-1\": \"array\",\n    \"1-0\": \"found\",\n    \"1-1\": \"boolean\",\n    \"0-2\": \"Array of [domain name, scores] tuples. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.\",\n    \"1-2\": \"Returns true if results available. Nothing is returned if no results available.\"\n  },\n  \"cols\": 3,\n  \"rows\": 2\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/recommendations/name/name.json\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl --include \\\\\\n     --header \\\"Authorization: Bearer %YourToken%\\\" \\\\\\nhttps://investigate.api.umbrella.com/recommendations/name/{name}.json\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"pfs2\\\": [\\n    [\\n      \\\"download.example.com\\\",\\n      0.9320288065469468\\n    ],\\n    [\\n      \\\"query.example.com\\\",\\n      0.06797119345305325\\n    ]\\n  ],\\n  \\\"found\\\": true\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n---\n[Pattern Search](https://docs.umbrella.com/developer/investigate-api/co-occurrences-for-a-domain/) < **Co-Occurrences for a Domain** > [Related Domains for a Domain](https://docs.umbrella.com/developer/investigate-api/related-domains-for-a-domain-1/)","excerpt":"","slug":"co-occurrences-for-a-domain","type":"basic","title":"Co-Occurrences for a Domain"}

Co-Occurrences for a Domain


This API method returns a list of co-occurences for the specified domain. A co-occurrence is when two or more domains are being accessed by the same users within a small window of time. Being a co-occurrence isn't necessarily a bad thing, legitimate sites co-occur with each other as a part of normal web activity. However, unusual or suspicious co-occurence can provide additional information regarding attacks. To determine co-occurrences for a domain, a small time window of traffic across all of our datacenters is taken. Then, we look at the sites that end users were visiting before and after the domain requested in the API call. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/recommendations/name/malware.com.json\"", "language": "text" } ] } [/block] ### Parameter for input ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "String", "0-0": "name", "0-1": "string", "0-2": "Domain name" }, "cols": 3, "rows": 1 } [/block] ### Returned value for output if Success 200 ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "pfs2", "0-1": "array", "1-0": "found", "1-1": "boolean", "0-2": "Array of [domain name, scores] tuples. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.", "1-2": "Returns true if results available. Nothing is returned if no results available." }, "cols": 3, "rows": 2 } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/recommendations/name/name.json\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl --include \\\n --header \"Authorization: Bearer %YourToken%\" \\\nhttps://investigate.api.umbrella.com/recommendations/name/{name}.json\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"pfs2\": [\n [\n \"download.example.com\",\n 0.9320288065469468\n ],\n [\n \"query.example.com\",\n 0.06797119345305325\n ]\n ],\n \"found\": true\n}\n </pre>\n </div>\n</div>" } [/block] --- [Pattern Search](https://docs.umbrella.com/developer/investigate-api/co-occurrences-for-a-domain/) < **Co-Occurrences for a Domain** > [Related Domains for a Domain](https://docs.umbrella.com/developer/investigate-api/related-domains-for-a-domain-1/)