The security information API method contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site. No one security information feature is conclusive, instead these features should be looked at in conjunction with one another as part of your security research.
Sample query:
curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/security/name/example.com"name
string
domain name
dga_score
float
Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
perplexity
float
A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
entropy
float
The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
securerank2
float
Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).
pagerank
float
Popularity according to Google's pagerank algorithm
asn_score
float
ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
prefix_score
float
Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
rip_score
float
RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
fastflux
n/a
Note: This property in this endpoint is now deprecated. Please use the ff_candidate feature in the DNS RR History endpoint instead.
popularity
float
The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others.
geodiversity
array
A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.
geodiversity_normalized
array
A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.
tld_geodiversity
array
A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.
geoscore
float
A score that represents how far the different physical locations serving this name are from each other.
ks_test
float
Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
attack
string
The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain.
threat_type
string
The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain.
found
boolean
Returns true if results available. Returns blank if no known threat associated with domain.
curl --include \
--header "Authorization: Bearer %YourToken%" \
https://investigate.api.umbrella.com/security/name/example.com
{
"dga_score": 38.301771886101335,
"perplexity": 0.4540313302593146,
"entropy": 2.5216406363433186,
"securerank2": -1.3135141095601992,
"pagerank": 0.0262532,
"asn_score": -29.75810625887133,
"prefix_score": -64.9070502788884,
"rip_score": -75.64720536038982,
"popularity": 25.335450495507196,
"fastflux": false,
"geodiversity": [
[
"UA",
0.24074075
],
[
"IN",
0.018518519
]
],
"geodiversity_normalized": [
[
"AP",
0.3761535390278368
],
[
"US",
0.0005015965168831449
]
],
"tld_geodiversity": [],
"geoscore": 0,
"ks_test": 0,
"attack: "",
"threat_type: "",
"found": true
}
Risk Score for a Domain
The Umbrella Investigate Risk Score is based on an analysis of the lexical characteristics of the domain name and patterns in queries and requests to the domain. It is scaled from 0 to 100, with 100 being the highest risk and 0 being no risk at all. Periodically Umbrella updates this score based on additional inputs.
The notification is a computation that produces a likelihood score indicating the likelihood that a site is benign or malicious: -100 suggesting that it is highly likely that a site is malicious and +100 suggesting that it is highly likely that a site is benign. A site is deemed "suspicious" whenever the score is negative and indicates that you need to investigate the domain further. You may, in the end, consider blocking it depending on the results of your investigation.
Sample query:
curl -H "Authorization: Bearer %YourToken%" " https://investigate.api.umbrella.com/domains/risk-score/[domain_name]"domain_name
string
domain name
risk_score
integer
risk score
{"risk_score":38}Related Domains for a Domain < Security Information for a Domain > Domain Tagging Dates for a Domain