This is what Mike told me to add.

Security Information for a Domain

The security information API method contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site. No one security information feature is conclusive, instead these features should be looked at in conjunction with one another as part of your security research.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/security/name/example.com"

Input Parameters

Field
Type
Description

name

string

domain name

Returned Value for Output if Success 200

Field
Type
Description

dga_score

float

Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).

perplexity

float

A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.

entropy

float

The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.

securerank2

float

Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).

pagerank

float

Popularity according to Google's pagerank algorithm

asn_score

float

ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.

prefix_score

float

Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.

rip_score

float

RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.

fastflux

n/a

Note: This property in this endpoint is now deprecated. Please use the ff_candidate feature in the DNS RR History endpoint instead.

popularity

float

The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others.

geodiversity

array

A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.

geodiversity_normalized

array

A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.

tld_geodiversity

array

A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.

geoscore

float

A score that represents how far the different physical locations serving this name are from each other.

ks_test

float

Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.

attack

string

The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain.

threat_type

string

The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain.

found

boolean

Returns true if results available. Returns blank if no known threat associated with domain.

GET https://investigate.api.umbrella.com/security/name/example.com
REQUEST
curl --include \
     --header "Authorization: Bearer %YourToken%" \
https://investigate.api.umbrella.com/security/name/example.com
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "dga_score": 38.301771886101335,
  "perplexity": 0.4540313302593146,
  "entropy": 2.5216406363433186,
  "securerank2": -1.3135141095601992,
  "pagerank": 0.0262532,
  "asn_score": -29.75810625887133,
  "prefix_score": -64.9070502788884,
  "rip_score": -75.64720536038982,
  "popularity": 25.335450495507196,
  "fastflux": false,
  "geodiversity": [
    [
      "UA",
      0.24074075
    ],
    [
      "IN",
      0.018518519
    ]
  ],
  "geodiversity_normalized": [
    [
      "AP",
      0.3761535390278368
    ],
    [
      "US",
      0.0005015965168831449
    ]
  ],
  "tld_geodiversity": [],
  "geoscore": 0,
  "ks_test": 0,
  "attack: "",
	"threat_type: "",
  "found": true
}
    

Risk Score for a Domain

The Umbrella Investigate Risk Score is based on an analysis of the lexical characteristics of the domain name and patterns in queries and requests to the domain. It is scaled from 0 to 100, with 100 being the highest risk and 0 being no risk at all. Periodically Umbrella updates this score based on additional inputs. A domain blocked by Umbrella receives a score of 100.

For more details about the risk score and the sub scores, refer to Domain Summary.

Sample query:

curl -H "Authorization: Bearer %YourToken%" " https://investigate.api.umbrella.com/domains/risk-score/[domain_name]"

Input Parameters

Field
Type
Description

domain_name

string

domain name

Returned Value

Field
Type
Description

risk_score

integer

risk score

indicators

array

Array of [indicator, normalized_score, score] tuples. Each element is a behavioral or lexical feature that contributes to the calculation of the risk score.
The values of normalized_score range between 0 and 100, while score is the raw outcome from the statistical algorithms.

Sample Response

{
	"indicators": 
 	 [
		{"indicator": "Geo Popularity Score", "normalized_score": 2, "score": -3.610878169999999},
		{"indicator": "Keyword Score", "normalized_score": 3, "score": 0.03586190445512534},
		{"indicator": "Lexical", "normalized_score": 52, "score": 0.525},
		{"indicator": "Popularity 1 Day", "normalized_score": 100, "score": 113.14},
		{"indicator": "Popularity 30 Day", "normalized_score": 100, "score": 112.01},
		{"indicator": "Popularity 7 Day", "normalized_score": 100, "score": 112.86},
		{"indicator": "Popularity 90 Day", "normalized_score": 100, "score": 111.4},
		{"indicator": "TLD Rank Score", "normalized_score": 1, "score": 0.010000315765229171},
		{"indicator": "Umbrella Block Status", "normalized_score": 0, "score": false
 	 ],
     "risk_score": 4
}

Related Domains for a Domain < Security Information for a Domain > Domain Tagging Dates for a Domain

Updated 5 months ago

Security Information for a Domain


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.