About the IP Address View in Investigate

The Investigate IP address view includes a collection of data about an IP address: summary of key details, DNS resolution, Autonomous Systems (AS), associated samples, and recent detections. Investigate displays the IP Address view when you use the Smart Search and provide an IP address, or when you link to an IP address from the Domain View. When you search for an IP address, specify the entire IP address. We currently do not support the option to search for a subnet, for example, a /24 network.

Note: The Investigate API /search endpoint accepts an IP subnet.

Table of Contents


The IP Address summary provides the key details about an IP address: location, network, threats, security categories, links to integrated threat information, and an aggregate of malicious domains hosted on the IP grouped by security category.


Note: Watch for unexpected results when an IP address belongs to a content delivery network, or CDN. A malicious domain could potentially be hosted on any number of edge servers, depending on the requester's geographic location, load balancing at the CDN and the proxy cache time. As a result, searching for a single IP address belonging to a CDN may show that there are 0 malicious domains for that IP address because the content was being served on other, related IPs belonging to the CDN.

DNS Resolution

The DNS Resolution tab displays the list of domains associated with the IP address. The DNS Resolution view lists the domain name, type of record, and first seen and last seen dates.


Autonomous Systems

The Autonomous Systems (AS) tab lists the IP prefix, ASN of the IP address, and Network Owner Description. For more information about an ASN, click the link to the ASN.


Associated Samples

When you search for an IP, a domain, or URL, Umbrella Investigate lists any checksum samples associated with the destination. A sample is a type of file, or file-like object created by a process running in memory. Cisco Secure Malware Analytics receives and analyzes submitted file samples and integrates the checksums with Umbrella Investigate. Associated samples are additional file samples known to be related to the main sample.

Cisco Secure Malware Analytics retains checksum samples for one year. You may find that Umbrella Investigate previously listed a sample related to a destination. If Cisco Secure Malware Analytics no longer contains the sample associated with the destination, Investigate does not display the sample in the list of associated samples.

Note: Part of the functionality described for the Associated Samples feature of Investigate is only available for customers of both Cisco Secure Malware Analytics and Umbrella Investigate. For more information, contact [email protected].


The Associated Sample tab lists up to 10 results per page and includes the following information:

  • Threat Score—The score given to a particular sample based on the analysis performed by Cisco Secure Malware Analytics. A Threat Score is a measure of the amount of system weakening, obfuscation, persistence, modification, data exfiltration, and other behaviors which may be a threat to the host system’s integrity. It is intended as an overall threat indicator that can be used as a guide to the likelihood that a submission is malicious. The Threat Score is not an authoritative classification of good and bad software.
  • SHA-256 Signature—The SHA-256 checksum of the associated sample. You can use the checksum to pivot to the specific information about the sample.
  • AV Result—Antivirus results according to ClamAV. A sample can have more than one signature if it is possibly detected under more than one family of malware. A sample may also have no signatures associated.
  • File Type—The type of file associated with the checksum.
  • First Seen—The date when the sample was first seen by Umbrella.

Recent Detections


About the Sample View in Investigate < About the IP Address View in Investigate > About WHOIS Record Information