Retrieve IP Address Reputations

Endpoint URL: https://sage.cybereason.com/rest/download_v1/ip_reputation
Endpoint URI: download_v1/ip_reputation

Action: POST

Returns a list of all IP address reputations used by the Cybereason threat intelligence service.

This API is a legacy API and has been deprecated. For the most up-to-date IP address reputation information, use the API to check a specific IP addresses. For details on this API, see Get an IP Address Reputation.

Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.


Request Body

{}

Because this request uses a POST method, you must add a request body. Add only open and closed brackets without parameters between the brackets.


Request Parameters

URL/URI parameters: none

Request Body Parameters: none


Response Status Code

This request can return the following status codes:

  • 200: Success OK or an error message saying why


Response Success Schema

The response contains the following fields:

Field

Type

Description

ttl

Integer

Timestamp representing time the data is live.

ipReputationResponseList

Array

An object containing details on the IP address reputations.

requestKey

String

The specific IP address on which you want data.

ipAddress

String

The numerical IP address.

addressType

Enum

The format for the IP address. Possible values include:

  • Ipv4

  • Ipv6

aggregatedResult

Array

An object containing the details on the IP address reputation.

reputationSource

String

The source for the reputation classification.

reputationScore

Enum

The reputation score assigned to the IP address. Possible values include:

  • Malicious: Known to be malicious

  • Suspicious: High likelihood to be malicious but not completely sure

  • Good: Reputable reputation

  • Indifferent: Not known to be good or bad

  • Unknown: Not known to any reputation sources


Response Failure Schema

None


Important Response Fields

Important information is found in these fields:

  • ipReputationResponseList object: This object contains details on all the IP addresses you entered in the request. Ensure that each of the IP addresses has a separate entry in this object.

  • ipAddress: The specific IP address about which you requested threat intelligence.

  • addressType: The IP version (either version 4 or version 6) for the requested IP address.

  • reputationSource: The source used to assign a reputation to this IP address.

  • reputationScore: The classification assigned to this IP address.


Example: Retrieve a list of IP address reputations

Request

curl --request POST \
    --url https://sage.cybereason.com/rest/download_v1/ip_reputation \
    --header 'Content-Type:application/json' \
    --data '{}'

Response

Note

This is a partial response, shortened to show the key fields. Your actual response will be much longer and contain all product classifications.

{
    "requestKey": null,
    "ttl": 0,
    "ipReputationResponseList": [
        {
            "requestKey": {
                "ipAddress": "176.123.26.4",
                "addressType": "Ipv4"
            },
            "ttl": 86400000,
            "aggregatedResult": {
                "reputationSource": "TOR blocklist",
                "reputationScore": "Malicious"
            }
        },
        {
            "requestKey": {
                "ipAddress": "5.196.66.241",
                "addressType": "Ipv4"
            },
            "ttl": 86400000,
            "aggregatedResult": {
                "reputationSource": "TOR blocklist",
                "reputationScore": "Malicious"
            }
        }
    ]
}