Get a Domain Reputation

Endpoint URL: https://sage.cybereason.com/rest/classification_v1/domain_batch
Endpoint URI: classification_v1/domain_batch

Action: POST

Returns details on domain reputations based on the Cybereason threat intelligence service.

Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.


Request Body

Input: JSON

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

                {
                  "requestData": [
                                    {
                                        "requestKey": {
                                                        "domain": "<domain name>"
                                                      }
                                    }
                                 ]
                }

Request Parameters

URL/URI parameters: none

Request Body Parameters: The request contains the following fields/parameters. Required parameters are marked in bold.

Parameter

Type

Description

requestData

Array

An object that holds the list of items about which to return domain reputation data.

requestKey

Array

An object containing the domain value on which you want to view threat intelligence data. You must add an md5 or sha1 field in this object.

domain

String

The full domain name of the domain on which you want to return reputation information.

Response Status Code

This request can return the following status codes:

  • 200: Success OK or an error message saying why


Response Success Schema

The response contains the following fields:

Field

Type

Description

classificationResponses

Array

An object containing details on the domain reputation.

requestKey

Array

An array containing domain names

domain

String

The domain name for which you are requesting reputation information.

ttl

Integer

Timestamp representing time the data is live.

aggregatedClassification

Array

An object containing the classification details on the domain requested.

maliciousClassification

Array

An object containing malicious classification details on the domain requested.

type

Enum

The malicious classification type for the domain. Possible values include:

  • ransomware

  • maltool

  • unwanted

  • malware

  • whitelist

  • indifferent

  • unknown

  • no_type_found

  • blacklist

classificationScore

Integer

The internal numerical value used by Cybereason threat intelligence service to evaluate the malicious nature of an indicator. A score of -1 indicates a suspicious or malicious classification.

typeScore

Integer

The internal numerical value used by the Cybereason threat intelligence service for the type assigned to the file.

source

String

The source of the threat intelligence classification.

link

String

The link to the source of the threat intelligence that provides the reputation for this domain.

firstSeen

Integer

A timestamp (in epoch) when the domain was first seen by the Cybereason platform.

allowFurtherClassification

Boolean

Indicates whether additional classification for the domain is possible.

cpId

Integer

A unique numerical ID created for the classification.

cpType

Enum

The type of classification, based on the decision of classification. Possible values include:

  • TOKEN

  • SAGE_API

  • SAGE_GLOBAL

  • CUSTOMER_CLASSIFICATION

  • AV_REPORTED

lastUploadTimestamp

Integer

A timestamp (in epoch) when the information was last updated on the Threat Intel Server.

Response Failure Schema

None


Important Response Fields

Important information is found in these fields:

  • classificationResponses object: An object containing details on all the domains you added in the request body.

  • domain: The domain name.

  • type: The classification for the domain.

  • source: The source used to make the classification.

  • link: The link to learn more about the domain classification.


Example: Get the reputation for a domain

Request

curl --request POST \
    --url https://sage.cybereason.com/rest/classification_v1/domain_batch \
    --header 'Content-Type:application/json' \
    --data '{
              "requestData": [
                                {
                                    "requestKey": {
                                                    "domain": "www.cybereason.com"
                                                  }
                                }
                             ]
            }'

Response

{
    "classificationResponses": [
        {
            "requestKey": {
                "domain": "www.cybereason.com"
            },
            "ttl": 52388991,
            "aggregatedResult": {
                "maliciousClassification": {
                    "type": "indifferent",
                    "classificationScore": -1,
                    "typeScore": -1,
                    "source": "VirusTotal"
                },
                "link": "https://www.virustotal.com/en/domain/www.cybereason.com/information",
                "firstSeen": 1481719121821
            },
            "allowFurtherClassification": true,
            "cpId": 2,
            "cpType": "VIRUS_TOTAL"
        }
    ]
}