Detection Playbooks

Hands-On Detection Engineering

Production-ready detection rules, step-by-step integration guides, and incident response playbooks—many wired to the public REST API at https://api.ismalicious.com.

Threat intelligence API

Endpoints used in these playbooks

Guides reference the same contract as our OpenAPI documentation. Try live calls in the API Playground, or read Bulk API and blocklist data product pages for context.

  • GEThttps://api.ismalicious.com/check

    Full threat analysis (query + optional enrichment level)

  • GEThttps://api.ismalicious.com/check/reputation

    Aggregated reputation counts (lighter than full /check)

  • GEThttps://api.ismalicious.com/bulk/check

    Plan limits and usage for batch lookups

  • POSThttps://api.ismalicious.com/bulk/check

    Batch domains, IPs, and URLs in one JSON request

  • GEThttps://api.ismalicious.com/blocklist/stats

    Entry counts and last-updated times (no auth)

  • GEThttps://api.ismalicious.com/blocklist/download/blocklist-ips-critical.txt

    Plain-text blocklists (plan-gated full vs sample)

Lightweight Reputation Checks vs Full Threat Analysis
Beginner15 min3 minMar 20, 2026

Lightweight Reputation Checks vs Full Threat Analysis

A clear decision tree for API calls: faster reputation polling for high-volume paths, full /check for triage, and narrow endpoints for geo or WHOIS-only questions.

isMalicious APIcurlPython
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start
Automating Malicious IP and Domain Blocklist Downloads
Beginner30 min3 minMar 18, 2026

Automating Malicious IP and Domain Blocklist Downloads

A scheduled job that downloads the correct blocklist file for your plan, detects changes, and feeds only deltas into downstream controls—aligned with the public HTTP API.

isMalicious APIcurlbashcron
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start
Bulk IOC Triage with the isMalicious Batch API
Beginner25 min3 minMar 15, 2026

Bulk IOC Triage with the isMalicious Batch API

A repeatable batch pipeline that classifies hundreds of IOCs per run with per-entity malicious flags, confidence, source counts, and categories—without hammering single-entity endpoints.

isMalicious APIcurlPythonCSV
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start
Phishing Domain Detection with Typosquatting Analysis
Intermediate60 min4 minMar 8, 2026

Phishing Domain Detection with Typosquatting Analysis

An automated daily scan that detects typosquatting domains targeting your brand, with live reputation checking and alerting when a suspicious domain becomes active.

PythonisMalicious APIdnstwistWazuh
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start
Blocking Malicious IPs with Firewall Automation
Beginner20 min4 minMar 5, 2026

Blocking Malicious IPs with Firewall Automation

A cron-driven pipeline that automatically blocks malicious IPs at the network edge, updated every 6 hours from live threat intelligence.

isMalicious APIPythoniptablespfSenseAWS
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start
Enriching SIEM Alerts with isMalicious Threat Intel
Beginner30 min3 minMar 1, 2026

Enriching SIEM Alerts with isMalicious Threat Intel

Every SIEM alert automatically enriched with threat reputation, category, and confidence score — cutting triage time by up to 60%.

SplunkElastic SIEMisMalicious APIPython
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start
Detecting C2 Beacons with YARA Rules
Intermediate45 min6 minFeb 17, 2026

Detecting C2 Beacons with YARA Rules

A set of production-ready YARA rules that detect Cobalt Strike, Sliver, and Metasploit C2 beacons, integrated into your SIEM pipeline.

YARASplunkElasticisMalicious API
Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Start

Frequently asked questions

Quick answers about playbooks and the isMalicious API.

What are isMalicious playbooks?

Step-by-step guides for security teams: detection rules (YARA, SIEM), incident response workflows, and integrations that call the public threat intelligence API at https://api.ismalicious.com. Each playbook includes copy-paste examples you can adapt.

How do I authenticate API calls in these guides?

Use the X-API-KEY header with a Base64-encoded string of your apiKey:apiSecret from the dashboard (Account → API). The same pattern is used across /check, /bulk/check, and blocklist downloads.

Where is the official API reference?

Interactive documentation and OpenAPI are at ismalicious.com/api-docs. You can also try requests in the API Playground at ismalicious.com/api/playground.

Do playbooks replace the web report or dashboard?

No. The dashboard and one-off reports are for analysts; playbooks show how to automate the same intelligence in your SIEM, firewalls, or scripts using the REST API.

Which API endpoints do the playbooks use?

Guides reference documented endpoints such as GET /check, GET /check/reputation, POST /bulk/check, GET /blocklist/stats, and GET /blocklist/download/{filename}. Exact URLs and parameters match the OpenAPI spec.

Are rate limits and plan tiers documented?

Yes. API access and monthly quotas depend on your subscription; the OpenAPI description summarizes burst and monthly limits. Use GET https://api.ismalicious.com/bulk/check to read your current bulk batch limits.

Get New Playbooks in Your Inbox

We publish new detection playbooks regularly. Subscribe to stay ahead.