Skip to main content

Providers

A "provider" is a third party company who has partnered with Pangea to deliver their security capabilities, technology or data through a new or enhanced Pangea service.

Supported data providers and use cases

Each provider cultivates data from different sources that yield different information. Some provider data sets and results may be more appropriate for your use case than others. Review each provider description carefully and pick one that best suits your requirements.

This section lists Pangea's supported providers, the endpoints associated with the providers, the partner technologies used in the endpoints, and gives example use cases for these partner powered Pangea services.

ProviderEndpointPartner documentationExample use case
ReversingLabs

file-intel/v2/reputation

ReversingLabs File reputation service


This endpoint is powered by the ReversingLabs TitaniumCloud Reputation Service, which is a data set comprised of up-to-date threat classification and rich context on tens of billions of goodware and malware files. This provider is used to determine if a given file hash is known by ReversingLabs to be malicious. When using this provider, hashes for newly created files are not likely to be found in the data set.

  • Determine whether files you receive are known malware and reject them.

  • Determine whether files you receive are known safe and accept them.

  • Determine whether files you receive are suspicious - and decide whether and how to handle the risk.

ReversingLabsfile-scan/v1/scan

ReversingLabs Cloud Deep Scan


This endpoint is powered by the ReversingLabs Cloud Deep Scan technology. The scan uses unique ReversingLabs File Decomposition technology to extract detailed metadata, add global reputation context and classify threats. This endpoint is used to determine the likelihood that a file is malicious. Malware scanning can find previously known, but also some brand new threats. When using this endpoint, files are uploaded and scanned by ReversingLabs. Results include a verdict and risk score that allows a user to decide if the uploaded file is malicious.

  • Determine whether a file you have received is considered malware. If a file has an unknown reputation, you can use File Scan service to determine malware risk and reject based on results.

Domain Tools

domain-intel/v2/reputation

Domain Risk Score


This endpoint is powered by DomainTools Domain Risk Score. Drawing upon data points from more than 390 million current Internet domains, DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. The score comes from two distinct algorithms: Proximity and Threat Profile. Proximity evaluates the likelihood a domain may be part of an attack by analyzing how closely connected it is to other known-bad domains. Threat Profile leverages machine learning to model how closely a domain’s intrinsic properties resemble others used for spam, phishing, or malware. This endpoint is used to determine the likelihood that a domain is malicious. When using this endpoint, a Domain Risk Score is returned for all domains.

  • Reject creation of new user accounts from domains known to be malicious, or associated with spam.

  • Prevent users from posting content that links to a malicious domain.

  • Restrict sending/receiving emails from domains known to be malicious or of high risk.

CrowdStrikefile-scan/v1/scan

CrowdStrike File Analyzer SDK


This endpoint is powered by the CrowdStrike File Analyzer SDK. CrowdStrike’s File Analyzer SDK delivers in-depth context and rich data to inform. It leverages machine learning that is trained using tens of millions of files sourced from the CrowdStrike ecosystem. Its unique multi-threaded architecture and concise verdict values enable quick scan times and valuable outcomes. This endpoint is used to determine the likelihood that a file is malicious. When using this endpoint, files are first hashed and run against the Pangea File Intel/reputation endpoint with CrowdStrike as a provider. If the file is not known in the CrowdStrike dataset, the file is then scanned with the CrowdStrike File Analyzer.

  • Determine whether a file you have received is considered malware. If a file has an unknown reputation, you can use File Scan service to determine malware risk and reject based on results.

CrowdStrike

file-intel/v2/reputation

Falcon Intelligence


This endpoint is powered by CrowdStrike's Falcon Intelligence. Falcon Intelligence allows you to expand your defenses with real-time access to global indicators of compromise (IOC) delivered by CrowdStrike. Falcon Intelligence leverages data from endpoint protection. It takes context from antivirus, endpoint detection, and response alerts to reveal the "who, why, and how" behind endpoint attacks. This endpoint is used to determine if a file is associated with malware detected on an endpoint and therefore likely to also be malicious. When using this endpoint, if the given file is not associated with malware metadata detected by CrowdStrike, it will not appear in the data set.

  • Determine if uploaded files are known malware and reject them.

CrowdStrike

domain-intel/v2/reputation

Falcon Intelligence


This endpoint is powered by CrowdStrike's Falcon Intelligence. Falcon Intelligence allows you to expand your defenses with real-time access to global IOCs delivered by CrowdStrike. Falcon Intelligence leverages data from endpoint protection. It takes context from antivirus, endpoint detection, and response alerts revealing the "who, why, and how" behind endpoint attacks. This endpoint is used to determine if a domain is associated with malware detected on an endpoint and therefore likely to also be malicious. When using this endpoint, if the given domain is not associated with malware metadata detected by CrowdStrike, it will not appear in the data set.

  • Reject creation of new user accounts from domains known to be malicious, or associated with spam.

  • Prevent users from posting content that links to a malicious domain.

  • Restrict sending/receiving emails from domains known to be malicious or of high risk.

CrowdStrikeurl-intel/v2/reputation

Falcon Intelligence


This endpoint is powered by CrowdStrike's Falcon Intelligence. Falcon Intelligence allows you to expand your defenses with real-time access to global IOCs delivered by CrowdStrike. Falcon Intelligence leverages data from endpoint protection. It takes context from antivirus, endpoint detection, and response alerts revealing the "who, why, and how" behind endpoint attacks. This endpoint is used to determine if a URL is associated with malware detected on an endpoint and therefore likely to also be malicious. When using this endpoint, if the given URL is not associated with malware metadata detected by CrowdStrike, it will not appear in the data set.

  • Detecting and redacting malicious URLs in text (forum posts, blogs, chat sessions, and so on).

  • Protect against transition to malicious sites or files.
CrowdStrikeip-intel/v2/reputation

Falcon Intelligence


This endpoint is powered by CrowdStrike's Falcon Intelligence. Falcon Intelligence allows you to expand your defenses with real-time access to global IOCs delivered by CrowdStrike. Falcon Intelligence leverages data from endpoint protection. It takes context from antivirus, endpoint detection, and response alerts revealing the "who, why, and how" behind endpoint attacks. This endpoint is used to determine if an IP is associated with malware detected on an endpoint and therefore likely to also be malicious. When using this endpoint, if the given IP is not associated with malware metadata detected by CrowdStrike, it will not appear in the data set.

  • Reject connections from known malicious IPs.

  • Require additional authentication (MFA) for access from suspicious IPs.

Digital Elementip-intel/v2/geolocate

NetAcuity


This endpoint is powered by Digital Element's NetAcuity dataset. The dataset's global accuracy is more than 99.9 percent at the country level and 97+ percent at a city level. NetAcuity provides coverage for 99.9999 percent of the internet and collects billions points-of-view daily. This endpoint is used to determine the location of an IP address. When using this endpoint, reserved/private IPs will not return a location.

  • Validating user location and preventing "impossible travel" attacks.

  • Localize content and enhance analytics.
  • Detect and customize content for mobile users (ISP).
  • Target online advertising based on region.
  • Manage location-restricted digital rights.
Digital Elementip-intel/v2/domain

Carrier Data


This endpoint is powered by Digital Element's Carrier Data Insights. Digital Element examines all the allocation records for an IP range to determine the parent owner IP ranges are allocated by the Regional Internet Registries. These ranges can then be suballocated to business or individuals. Digital Element examines all the allocation records for an IP range to find the parent owner for the IP range. This endpoint is used to determine the domain which owns a given IP address. When using this endpoint, reserved/private IPs will not be found in the data set.

  • Reject creation of new user accounts from domains known to be malicious, or associated with spam.

  • Prevent users from posting content that links to a malicious domain.

  • Restrict sending/receiving emails to/from domains known to be malicious or of high risk.

Digital Elementip-intel/v2/vpn
ip-intel/v2/proxy

VPN and Proxy


These endpoints are powered by Digital Element's Proxy and VPN Detection. Proxy detection enables you to identify non-human traffic, control the distribution of online content, prevent online fraud, comply with legal/embargo restrictions, and more with the world’s most comprehensive and up-to-date proxy database. The VPN Proxy database provides additional insights about proxy hosts, helping clients address the problem of malicious IP masking and enabling them to have greater control over their online channels. These endpoints/providers are used to determine if an IP address is the source of VPN or Proxy traffic. When using either of these endpoints, a True or False response will be returned.

  • Detect and reject connections originating from a VPN, including the onion router (TOR) traffic.

  • Detect and reject connections originating from a proxy.
Team CYMRUip-intel/v2/reputation

Team CYMRU


This endpoint is powered by Team Cymru's IP Reputation and Bot detection dataset. This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that Team CYMRU have uniquely decoded, and monitoring of dark IP space (darknets). Every IP in the feed receives an individual reputation score using several different categories of patterns observed over the past 30 days. This endpoint is used to determine if an IP is a bot, controller, or is otherwise associated with botnet traffic. When using this endpoint, only IPs that are known to be associated with botnets will return results other than unknown.

  • Reject known bots from connecting to or accessing services.

  • Block bot IPs from accessing streaming content or contributing towards viewership numbers.

SpyCloud

user-intel/v2/user/breached

Consumer ATO Prevention


This endpoint is powered by SpyCloud's consumer ATO Prevention API. SpyCloud researchers collect an estimated 12+ billion new breach assets per month, enabling you to determine when your customers’ data appears on the criminal underground, allowing your organization to act swiftly to lock bad actors out of compromised accounts. This endpoint is used to determine if an email, phone number, username, or IP Address has been in a breach. When using this endpoint, filtering can be used to only search for data that has been breached within a certain time range, such as since a user has last logged into an application.

  • Determine if a username, email, or phone was recently in a breach and force MFA or password changes.

  • Determine if a newly registering user was in a breach and restrict usage of already known breached passwords.

SpyCloud

user-intel/v2/password/breached

NIST Password Screening


This endpoint is powered by SpyCloud's NIST Password Screening API. Using this service, SpyCloud is able to protect against exact employee credentials exposed in third-party breaches, “Fuzzy” credential matches, meaning a compromised password that has been reused with trivial changes, and any password that has appeared in the SpyCloud breach database, regardless of username. This service uses a process called K-anonymity to allow password hashes to be sent for analysis while still being secure. This endpoint is used to determine if a password hash was detected in a breach. When using this endpoint the full password hash is not sent to the endpoint. Instead only the hash of a prefix is sent, and results must be matched to the exact hash to protect anonymity.

  • Determine if a password is compliant and restrict usage of already breached or common passwords.

  • Determine if a password was in a breach and force MFA or password changes.

WhoisXML APIdomain-intel/v2/whoisWhoisXML API

This endpoint is powered by the WhoisXML API provider. This endpoint allows a user to query the WhoisXML API dataset for data on a given domain including Domain name, Registration date, Expiration date, Status (e.g., active, suspended, deleted), Registrar, Registrant information (e.g., name, address, email address), Name servers, and Updated date. In addition to this basic information, the WhoisXML API provider also returns a number of other data points, such as Domain age, NS records, and WHOIS server. This endpoint is used to lookup WHOIS information for a given domain. When using this endpoint, if a domain is not registered, it will return with a response showing that the domain is currently Available. Domains can still be registered through third-party companies for security, and will not always have accurate WHOIS information.

  • Determine if a domain has been recently created or has other suspicious registration issues.

  • Determine if the registrar of a domain is one you trust, or is one you find suspicious.

Was this article helpful?

Contact us