IPv4 enrichment categories
    • 13 May 2024
    • 3 Minutes to read
    • Dark
      Light

    IPv4 enrichment categories

    • Dark
      Light

    Article summary

    Enriching an IPv4 address helps your security teams to understand the origin, function and risk level of the observable.

    Enriched data is spread out across 18 categories and sub-categories, including:

    • Basic information
      • IP Information
      • DNS Records
      • Associated Certificates
      • Geographic
    • Enriched Attributes
      • Curated Feed History
      • ASN Information
      • Subnet Information
    • Custom Attributes
      • Organizational Asset Indicators
    • Scan Data
      • Certificates
      • JARM
      • Favicon
      • HTML
      • Header
    • Live Threat Feeds
    Tip!

    Click Lookup PADNS where it's available, to pivot through enriched data elements.

    Basic information

    IP information

    ElementDescription
    Date-
    User TagsUser-added observable tags
    ASNThe AS number, as allocated by IANA
    AS NameThe name of the AS
    SubnetThe IPs subnet
    IP DensityThe amount of domains pointing to an IP address
    IP PTRA PTR record pointing to an IP address

    DNS records

    This category contains a list of the most recent DNS records found, with an option to pivot through passive DNS data for each record type. The total amount of records is displayed at the bottom of the table.

    Associated certificate

    Click Search to run a query that returns a list of all certificates associated with the IP address.

    Geo

    Geographic data is collected across 4 elements:

    1. Continent
    2. Country
    3. Country code
    4. Is European Union

    Enriched attributes

    Curated feed history

    An observables Curated Feed History is a Silent Push-calculated score that takes into account the frequency and recency of an observable within certain trusted threat feeds.

    ElementDescription
    Curated Feeds History ScoreA score based on the frequency and recency of an observable's presence within trusted feeds.
    First SeenA timestamp of the first time a observable appears in the feed.
    First Seen Ago-
    Listed RecentThe most recent date where this domain or IP has been listed on at least one of the cureated feeds.
    Listed Recent Ago-
    Listed SpanThe number of days between the First Seen date and the most recent date where this domain or IP has been listed on at least one curated feed.
    Listed AllThe number of days where this domain or IP has been listed on at least one of the curated feeds. Click the drop-down arrow to choose from between 7-365 days.

    ASN information

    ElementDescription
    ASNA score that includes recency, frequency, and the number of NS changes.
    AS NameThe name of the AS.
    AS RankA ranking of ASNs associated with threats listed on feeds, calculated using a weighted formula based on the type of threat observed.
    ASN Takedown ReputationA reputation score based on the time it takes for the ASN owner to react to takedown requests related to malicious URLs - a higher reputation score indicates the ASN owner is slow to react to takedown requests. Scores are based on the following variables: IPs in ASN, IP's with URL listed, Number of URLs listed and Listing Max Age.
    ASN Allocation AgeThe age of an AS number in days.
    ASN Allocation DateThe date an AS Number was assigned by IANA.
    ASN ReputationThe ratio of blacklisted IPs, taken from from the total number of IPs that have been observed as being active within an ASN, in the last 30 days. Scores are based on the following variables: IPs in ASN, Active IPs, IPs Listed.

    Subnet information

    ElementDescription
    SubnetThe IP's subnet.
    Subnet ReputationThe ratio of blacklisted IPs, taken from the total number of IPs that have been observed as being active within a particular subnet in the last 30 days​. Scores are calculated based on the following variables: IPs in Subnet, Active IPs and IPs listed.
    Subnet Allocation AgeThe number of days since the subnet was allocated to the AS​.
    Subnet Allocation DateThe date the subnet was allocated to the AS​.

    Custom attributes

    Organizational asset indicators

    Organizational Asset Indicators are a set of customer-specific scores used to tailor feed items according to client's business assets or supply chain assets.

    ElementDescription
    IP GeoA score expressing the IP's presence in an organization's designated area of operation​.
    IP RangeHow an IP address matches up to an IP Range

    List of live threat feeds

    This section contains a list of live threat feeds that the IP address currently features in.

    Scan data

    Certificates

    Click the Show all associated certificates button to scan for a list of associated domain certificates

    Categories:

    • Domain
    • Domains
    • SHA1
    • Valid From
    • Valid Until
    • Issuer Common Name
    • Issuer Organization
    • Scan Date

    JARM

    Elements:

    • JARM - Click the Find Matches button to pivot through matching data.
    • Scan Date

    Favicon

    Elements:

    • Favicon md5
    • Favicon murmur3
    • Favicon2 md5
    • Favicon2 murmur3
    • Favicon2 path
    • Scan date

    HTML

    Elements:

    • Body ssdeep
    • Body murmur3
    • Title
    • Scan date

    Header

    Elements:

    • Response
    • Server
    • Expires
    • Content Length
    • Content Type
    • Cache Control
    • IP
    • Location
    • Scan Date

    Was this article helpful?