API results for IP address

The table below contains possible sections available for an IP address investigation in JSON format.

Certain objects can be assigned to the suspicious status. Suspicious is the internal name that is only used to identify objects with a threat score between 50 and 74, and it means not trusted.

For reserved IP addresses, only LicenseInfo, Zone, IpGeneralInfo, and IpWHOIS sections are provided.

200 OK response parameters

Section in API	Section in web interface	Description
LicenseInfo	—	Information on the license used. `AccessType`—License type ("`Commercial`" or "`Trial`"). `DayRequests`—Number of requests performed in the current day (for a commercial license). `DayQuota`—Daily limit of requests (for a commercial license). `TokenExpirationDate`—Date when an API token expires. If there is no API token requested, the `null` value is returned.
Zone	On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object.	Color of the zone that an IP address belongs to.
RelatedObjects	Files related to IP address	Information about the presence of malicious objects associated with the indicator. `HasRedZone`—Shows whether there are malicious objects (`zone=red`) related to the indicator: `true`—there are related malicious objects; `false`—no related malicious objects.
IpGeneralInfo	Overview	General information about the requested IP address. `HitsCount`—Hits number (popularity) of the requested IP address. `FirstSeen`—Date and time when the requested IP address appeared in Kaspersky expert systems statistics for the first time, according to your computer local time zone. `ThreatScore`—Probability of the requested IP address to appear dangerous (0 to 100). `Ip`—Requested IP address. `CountryCode`—Two-letter country code (ISO 3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP addresses, the NULL value is exported. `Status`—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved). `Categories`—Category of the requested IP address. `CategoriesWithZone`—Categories of the requested IP address and zones that the category belongs to. `HasApt`—Shows whether the requested IP address is related to an advanced persistent threat (APT) attack. `RelatedAptReports`—Array of objects that describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial reports, to which the requested IP address is related. Each object contains a report's ID, type, and title. The report ID can be used as an argument (`publication_id`) for the get_one endpoint, which is used to obtain specific information for a report. If the requested IP address is not related to reports, an empty array is returned.
FilesDownloadedFromIp	—	Information that is provided about files that were downloaded from the requested IP address and domains that resolve to the requested IP address, and MD5 hashes of files that accessed the requested IP address. `Zone`—Color of the zone that a file belongs to. `DownloadHitsCount`—Number of times that a file was downloaded from the requested IP address as detected by Kaspersky expert systems. `Md5`—MD5 hash of the downloaded file. `LastSeen`—Date and time that the file was last downloaded from the requested IP address, according to your computer local time zone. `FirstSeen`—Date and time the file was first downloaded from the requested IP address, according to your computer local time zone. `DetectionName`—Name of the detected object. `Url`—Web addresses used to download the file.
HostedUrls	Hosted URLs	Information about web addresses of the domain that resolves to the requested IP address. `Zone`—Color of the zone that a web address belongs to. `UrlHitsCount`—Number of web address detections by Kaspersky expert systems. `Url`—Detected web address (including web addresses that contain the requested IP address). `IsUrlTruncated`—Shows whether private data was filtered in the displayed web address. `FirstSeen`—Date and time when the web address was first detected, according to your computer local time zone. `LastSeen`—Date and time when the web address was last detected, according to your computer local time zone.
FeedMasks	URL masks	Information about the web address covered by the mask. `Zone`—Zone of the web address covered by the corresponding mask (`Red`, `Orange`, or `Yellow`). `Status`—Danger level of the web address covered by the corresponding mask (`Dangerous`, `Not trusted`, or `Adware and other`). `NormalizedMask`—Normalized mask of the web address. `FeedNames`—Threat Data Feeds that contain the mask of the web address (Malicious URL Data Feed, Phishing URL Data Feed, Botnet CC URL Data Feed, APT URL Data Feed, or APT IP Data Feed). `MaskType`—Type of the mask.
IpWhoIs	WHOIS	WHOIS information about the requested IP address. `Type` `Status`—Status of the IP address (`Known` if the country is detected, `Reserved` for reserved special-purpose IP addresses (see RFC 6890), and `NoInfo` for IP addresses that do not belong to any country and are not reserved). `Asn`—Autonomous system number, including: `Origin` `Description` `Net`—Information about the network that the requested IP address belongs to, including: `RangeStart` `RangeEnd` `Created` `Changed` `Name` `Description` `Contacts`—Contact information for the owner of the requested IP address, including: `Address` `OrganizationId` `Name` `ContactRole` `ContactType` `Fax` `Phone` `Email`
IpDnsResolutions	DNS resolutions for IP address	Information about the requested IP address. `Zone`—Color of the zone that a domain (resolved to the requested IP address) belongs to. `Domain`—Domain that resolves to the requested IP address. `FirstSeen`—Date and time when the domain first resolved to the requested IP address, according to your computer local time zone. `LastSeen`—Date and time when the domain last resolved to the requested IP address, according to your computer local time zone. `HitsCount`—Number of times that the domain resolved to the requested IP address. `DailyPeak`—Maximum number of domain resolutions to the requested IP address per day. `PeakDate`—Date of maximum number of domain resolutions to the requested IP address. `Categories`—Categories of the requested IP address.
IPSpamInfo	Spam attacks	Information about spam attacks associated with the requested IP address. `spam_attacks`—Number of spam attacks. `spam_ratio`—Ratio of spam generated by the requested IP address to the rest of the content. `last_attack_date`—Date of the latest spam attack. `spam_attack_types`—Array of attack types.
IPPhishingInfo	Phishing attacks	Information about phishing attacks associated with the requested IP address. `phishing_attacks`—Number of phishing attacks. `last_attack_date`—Date of the latest phishing attack. `regions`—Top 10 regions affected by the phishing attack. `phish_kit`—Name of a phishing kit (a set of materials and tools) used during the phishing attack. `stolen_data_type`—Type of data stolen during phishing attack, for example, user names, passwords. `attacked_industry`—Target industry of a phishing attack. `attacked_organization`—Target organization of a phishing attack.
`DataFeeds`	Data Feeds	List of Threat Data Feeds that contain information about the requested IP address. If the requested IP address is not mentioned in Threat Data Feeds, this section is not returned.

Page top