Query large numbers of domains quickly to find out whether they’re
scored as malicious and require further investigation.The Investigate API can be accessed via an access token,
and the access token can be generated via the Umbrella
console.
Developers and customers can use and query Umbrella
data via the Investigate API. Here are a few of the
standard categories:
Categorization (shows the status and classification of the
domain): This category is often used by developers and customers as
the primary classifier to determine whether a domain/IP address is
good, bad, or unknown.
Scoring: Several scores help rate the potential risk of the domain/IP
address. For example:
SecureRank2: This score is designed to identify domains that are
requested by known infected clients but never requested by clean
clients—assuming that these domains are more likely to be bad.
Scores range from –100 (suspicious) to +100 (benign).
RIP Score: This IP reputation score is designed to rate an IP
address based on the amount of malicious activity hosted at that
address. Scores range from –100 (very suspicious) to 0.
WHOIS record data: This category includes the email address used
to register the domain, the associated name server, historical
information, and so on. It can be used to find out more about the
history of the domain and the registrant, including whether the email
address was used to register other malicious domains.
Cooccurrences: This category depicts other domains that were
queried right before or after a given domain and are likely related. The
Investigate API is often used to uncover other domains that may be
related to the same attack but are hosted on completely separate
networks.
Passive DNS: This category depicts the history of domain-to-IP
address mappings. This information is used to see if anything
suspicious happened with the domain or IP address. For example, you
might find that the IP address is continually changing or find that the
IP address has more domains than previously declared.
Malware file data: Information is gathered in the form of malware
file analysis and threat intelligence from Cisco AMP Threat Grid. This
kind of information is used to find out if there are any specific malware
files associated with a domain and also to query file hashes to see if
they’re malicious.Now let’s look at a couple of examples of the Investigate
API. If you query the domain at