Threat lookups
Overview
Devo is equipped with a series of lookups that you can use to identify potential threats, and find suspicious domains or IP addresses. Threat lookups let you know if you are under an attack or threat, track the attack sources and provide you as much information as possible to help you prevent any cyber attack.
You can use threat lookups to check an IP or domain status and get information related to them (for example, get their corresponding countries or abuse contact addresses to report problems).
Threat lookups cannot be managed from the Lookup management area. This area is exclusively for lookup tables created or uploaded by yourself. Threat lookups are managed by our team, so contact our customer support team if you have any problem.
Threat lookup types and fields
We have two main categories of threat lookups available: Threat Malware lookups and Threat Fraud lookups.
| Threat lookup type | Threat lookup sub-category | Description |
|---|---|---|
| Threat Malware lookups | Threat Malware by IP | The key field contains IP addresses. Use it to get information about IP addresses related to malware in your data table. |
| Threat Malware by Domain | The key field contains domains. Use it to get information about domains related to malware in your data table. | |
| Fraud Malware lookups | Threat Fraud by IP | The key field contains IP addresses. Use it to get information about IP addresses related to fraud activity in your data table. |
All three types of threat lookups contain the following fields that you can use to enrich your table data and analyze potential threats:
| Field name | Description | Data type | Example |
|---|---|---|---|
| abusecontact | Abuse email address | string | abuse@example.com |
| asn | Autonomous System Number | string | 1234 |
| category | Threat category identified by Devo | string | fraud |
| country | IP / domain country | string | EN |
| date | Date on which the information was got from the source | string | 03-15-2017 |
| description | Threat description | string | IP used by banjori C&C |
| detail | Threat details | string | Port open, HTTP 400 |
| domain | Domain name. This is the key field for domain threat lookups | string | example.com |
| eventdate | Date on which Devo receives the information | string | 2017-03-15 11:15:54.752 |
| firstseendate | Date on which the threat was first detected | string | 2014-02-12 07:45:00 |
| firstseentimestamp | Date on which the threat was first detected, in timestamp format | integer | 1489568011 |
| hash | Binary HASH | string | d131dd02c5e6eec4 |
| IP | IPv4 address. This is the key field for domain threat lookups | ip | 8.8.8.8 |
| lastseendate | Date on which the threat was last detected | string | 2015-01-26 17:32:00 |
| lastseentimestamp | Date on which the threat was last detected, in timestamp format | integer | 1489568011 |
| level | Threat danger level | string | Low |
| path | URL path | string | /index.html |
| query | URL query | string | field=vale&1=1 |
| sbl | Code in SBL reputation list | string | SBL2134 |
| source | Source of the information | string | VXVault |
| status | Resource status | string | online |
| threat | Type of threat | string | Ponny |
| threat_type | Threat type by source. This field is only available for malware threat lookups | string | phishing |
| timestamp | Timestamp that corresponds to the date on which Devo receives the information | integer | 1489568011 |
| url | URL | string | http://example.com/ |
Add threat lookups to a data table
Threat lookup fields can be included in data tables in the same way as uploaded and query lookups. See Add lookup values to your query for more information.
- Go to Data search and access the required data table.
- Select Create column from the query window toolbar.
- Give the new column a name and select all in the Operation area. Type threat in the search box to locate threat lookups and select the one you need.
- Select New argument and add the table column you want to use to correlate the data with the threat lookup, which may be a column containing IP addresses or domains depending on the threat lookup type selected. In this example, we have selected the threat field of the Threat Fraud by IP category, and added the srcIP column as argument.
- Click Create column when you're done. For easy identification, you can filter the column data to avoid null values.
You can build a graph diagram using the lookup column and the IP/domain column selected to get an explicit visualization of your results.
