# Malicious observable lookup

urlscan Pro - Look up how often an observable has been seen in malicious scan results,
along with first and last seen timestamps.

The type parameter selects what kind of observable to query:

- ip — Match scans by the IP address of the page server (e.g. 192.0.2.1).
- hostname — Match scans by the exact page hostname (e.g. www.example.com). Use this when you are interested in a specific host.
- domain — Match scans by the apex (registered) domain (e.g. example.com). This covers all subdomains under that domain, so a lookup for example.com will include scans for www.example.com, blog.example.com, etc. Use this for a broader view across an entire domain.
- url — Match scans by the exact page URL. The value must be URL-encoded (e.g. https%3A%2F%2Fexample.com%2F).

Endpoint: GET /api/v1/malicious/{type}/{value}
Version: 1.0.0
Security: apikeyAuth

## Path parameters:

  - `type` (string, required)
    The type of observable to look up.
    Enum: "ip", "hostname", "domain", "url"

  - `value` (string, required)
    The observable value. Format depends on type:
- ip: an IP address (e.g. 192.0.2.1)
- hostname: a fully qualified hostname (e.g. www.example.com)
- domain: an apex/registered domain (e.g. example.com)
- url: a URL-encoded URL (e.g. https%3A%2F%2Fexample.com%2Fpath)

## Response 200 fields (application/json):

  - `observable` (string)
    The observable that was looked up.

  - `type` (string)
    The type of observable.
    Enum: "ip", "hostname", "domain", "url"

  - `count` (integer)
    Number of times this observable has been seen in malicious scan results.

  - `firstSeen` (string,null)
    Timestamp when this observable was first seen in malicious scan results.

  - `lastSeen` (string,null)
    Timestamp when this observable was last seen in malicious scan results.