Skip to main content

Reputation

Review the basics of performing reputation checks with the IP Intel service

Use the /reputation endpoint to make an API call and return IP address details. You can create an API request to retrieve as few or as many details as you need for up to 100 IP addresses at a time.

API calls containing a single IP will return a 200 code and the results. When making an API call that includes multiple IPs, the response will be asynchronous and return a 202 instead of immediately returning the results. You will then need to poll for the results. For more information, visit our Asynchronous API response page.

Look up the reputation score of an IP

Allows you to retrieve the IP score (normalized by Pangea) for a specific IP or set of IPs. Based on that score (which will fall under one of these categories: benign, suspicious, malicious, or unknown), you can determine actions your application should take.

Use Case: Check the client IP of unauthenticated activities like file uploads, newsletter subscriptions, and account sign-ups.

POST/v2/reputation
curl -sSLX POST 'https://ip-intel.'"$PANGEA_DOMAIN"'/v2/reputation' \
-H 'Authorization: Bearer '"$PANGEA_INTEL_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"ips":["93.231.182.110"]}'

Retrieve a detailed intelligence report for an IP

Allows you to receive a report containing the provider-specific, detailed information related to the specified IP (in addition to the IP score).

POST/v2/reputation
curl -sSLX POST 'https://ip-intel.'"$PANGEA_DOMAIN"'/v2/reputation' \
-H 'Authorization: Bearer '"$PANGEA_INTEL_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"provider":"crowdstrike","ips":["93.231.182.110"],"verbose":true,"raw":true}'
tip

You can also select a provider and override the default provider by specifying their name in the provider field when making an API request to the /reputation endpoint. This is helpful if your default provider returns a verdict of Unknown and you want a second opinion from another provider.

Understand and review results

The API response sent by IP Intel includes various fields and values; however, the ones listed below give you the most information about the disposition of an IP. To learn about more response fields, visit the IP Intel API Reference.

Based on the IP Intel API response, it’s evident that the IP you submitted is Malicious.

verdict

The verdict normalized categorization as interpreted by the data returned by the third-party provider. There are four possible verdicts:

  • Benign - Confirmed as non-malicious

  • Suspicious - Associated with actions that are malicious

  • Malicious - Confirmed as malicious

  • Unknown - No data

score

The normalized score as interpreted by the data returned by the third party provider. Scores are associated with the verdict values listed above:

  • 0 = Benign

  • 1 - 99 = Suspicious

  • 100 = Malicious

  • -1 = Unknown

summary

A summary of the various categories associated with an IP address, which help illustrate why an IP received a particular verdict.

category

Indicates the category associated with the IP address (e.g. Adware, Malware). This field may return more than one category and may, at times, not be populated.

raw

Raw data returned by the provider you specified in the API request. You can investigate the raw data if its meaningful to your use case or if you want to supply it to your users. You must set the raw field to true to receive this data.

Was this article helpful?

Contact us