{"_id":"581a1c4d9d2fee0f005a2f5b","__v":0,"version":{"_id":"5615790d0f5ed00d00483dd4","__v":6,"project":"5615790c0f5ed00d00483dd1","createdAt":"2015-10-07T19:57:01.307Z","releaseDate":"2015-10-07T19:57:01.307Z","categories":["5615790d0f5ed00d00483dd5","56157b2af432910d0000f9fe","56157cfb0f5ed00d00483ddb","562684d95db46b1700fd4f48","573b7ea9ef164e2900a2b8ff","582e285d8373c20f00810608"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"5615790d0f5ed00d00483dd5","__v":19,"pages":["5615790e0f5ed00d00483dd7","561d48e46386060d00e06003","561d48fe31d9630d001eb5bd","561d49b657165b0d00aa5d8b","561d4a879463520d00cd11e2","561d67f48ca8b90d00210234","561d6a0bf0cff80d00ca22c3","561d6c5b071cd60d000d3221","562f9c2543c5570d001fe6bd","56311c99eae7ef0d00270e3d","56311d6702aff217007dba23","56311f96f1c0580d00fac719","563120b7242cda1900198b79","5631229bf1c0580d00fac721","563131559ead230d00a188f6","563134a324014b0d00bd9a4f","5631392082d96a0d00b0fb1d","56313c584b36120d00fdebfb","5642658ef424a10d00118360"],"project":"5615790c0f5ed00d00483dd1","version":"5615790d0f5ed00d00483dd4","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-07T19:57:01.871Z","from_sync":false,"order":0,"slug":"opendns-investigate-rest-api","title":"Umbrella Investigate REST API"},"project":"5615790c0f5ed00d00483dd1","user":"560b40145148ba0d009bd0b5","parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-11-02T17:03:09.287Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":17,"body":"The latest_domains endpoint shows whether the IP address you’ve entered as input has any known malicious domains associated with it.\n\nThe domains that appear when using this endpoint are those that currently exist in the Umbrella block list.\n\nThis endpoint will return an array with a single domain name for each domain associated with the IP, along with an id number that can be ignored.\n\nIf more than one domain is associated with the IP, more than one array is returned. If no domains are associated with the IP, the array is blank. The input must be formatted as a full IPv4 IP address.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/ips/218.23.28.135/latest_domains\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n### Parameter for input ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-2\": \"IP Address to check for malicious domains\",\n    \"0-0\": \"ip\",\n    \"0-1\": \"string\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n### Returned value for output if Success 200 ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"id\",\n    \"0-1\": \"integer\",\n    \"0-2\": \"id for domain, this should be ignored\",\n    \"1-0\": \"name\",\n    \"1-1\": \"string\",\n    \"1-2\": \"The block list domain associated with the IP\"\n  },\n  \"cols\": 3,\n  \"rows\": 2\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/ips/ip/latest_domains\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl --include \\\\\\n     --header \\\"Authorization: Bearer %YourToken%\\\" \\\\\\nhttps://investigate.api.umbrella.com/ips/{ip}/latest_domains\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n[\\n  {\\n    \\\"id\\\": 22842894,\\n    \\\"name\\\": \\\"www.cxhyly.com\\\"\\n  },\\n  {\\n    \\\"id\\\": 22958747,\\n    \\\"name\\\": \\\"cxhyly.com\\\"\\n  }\\n]\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n---\n[WHOIS Information for a Domain](https://docs.umbrella.com/developer/investigate-api/whois-information-for-a-domain-1/) < **Latest Malicious Domains for an IP** > [Threat Grid Integration (Cisco AMP Threat Grid)](https://docs.umbrella.com/developer/investigate-api/threat-grid-integration-cisco-amp-threat-grid/)","excerpt":"","slug":"latest-malicious-domains-for-an-ip-1","type":"basic","title":"Latest Malicious Domains for an IP"}

Latest Malicious Domains for an IP


The latest_domains endpoint shows whether the IP address you’ve entered as input has any known malicious domains associated with it. The domains that appear when using this endpoint are those that currently exist in the Umbrella block list. This endpoint will return an array with a single domain name for each domain associated with the IP, along with an id number that can be ignored. If more than one domain is associated with the IP, more than one array is returned. If no domains are associated with the IP, the array is blank. The input must be formatted as a full IPv4 IP address. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/ips/218.23.28.135/latest_domains\"", "language": "text" } ] } [/block] ### Parameter for input ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-2": "IP Address to check for malicious domains", "0-0": "ip", "0-1": "string" }, "cols": 3, "rows": 1 } [/block] ### Returned value for output if Success 200 ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "id", "0-1": "integer", "0-2": "id for domain, this should be ignored", "1-0": "name", "1-1": "string", "1-2": "The block list domain associated with the IP" }, "cols": 3, "rows": 2 } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/ips/ip/latest_domains\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl --include \\\n --header \"Authorization: Bearer %YourToken%\" \\\nhttps://investigate.api.umbrella.com/ips/{ip}/latest_domains\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n[\n {\n \"id\": 22842894,\n \"name\": \"www.cxhyly.com\"\n },\n {\n \"id\": 22958747,\n \"name\": \"cxhyly.com\"\n }\n]\n </pre>\n </div>\n</div>" } [/block] --- [WHOIS Information for a Domain](https://docs.umbrella.com/developer/investigate-api/whois-information-for-a-domain-1/) < **Latest Malicious Domains for an IP** > [Threat Grid Integration (Cisco AMP Threat Grid)](https://docs.umbrella.com/developer/investigate-api/threat-grid-integration-cisco-amp-threat-grid/)