Endpoint scoring

  • Updated on Nov 16, 2023
  • Published on Mar 31, 2023
  • 3 minute(s) read
Looking for API docs?

Please click here for a detailed explanation of how to integrate using the Silent Push API.

The Silent Push API returns numerous data types that are based on categorical scores, to provide you with a clear picture of the reputational value of domains, IP addresses, DNS records and other associated data.

Domain related scores

age_score

  • Based on the age of the domain, as seen in DNS zone files.
  • A more recently created domain scores higher.

is_new_score

  • This score returns 100 if the domain has been created within the last 24 hours.
  • New domains represent a higher risk when observed in network traffic.

dga_probability_score

  • Indicates the likelihood that the domain name is the result of a Domain Generating Algorithm.

url_shortener_score

  • Returns 100 if the domain is a known URK shortener service. This is scored in additiona to the isurlshortener flag.

listing_score

• Indicates if the domain has been seen on any (or a selection of) highly trusted threat intelligence feeds.

  • Based on recency and the frequency of prior listings.

ns_reputation_score

  • A score for the name servers currently associated with this domain.
  • nameserver reputation is based on the number of domains hosted on the name server vs. the number of those domains listed in threat intelligence feeds

ns_entropy_score

  • An indication of how often a domain has changed nameserver.
  • More frequent and/or recent changes point to a suspicious domain.

sp_risk_score

  • The Silent Push Risk Score provides an at-a-glance assessment of the risk associated with a given domain.
  • sp_risk_score is equal to the highest of the following scores, but will be reduced to 0 if any of be below flags is true: is_expired, is_parked, is_sinkholed.
    • ns_entropy_score
    • ns_reputation_score
    • is_new_score
    • age_score
    • listing_score

IPv4 related scores

asn_rank_score

  • A weighted measure of the type of feed where IPv4 addresses in this ASN have been listed (listings on malware feeds are counted with a higher weight than listings on phishing feeds, for example).
  • All ASNs with listings are ranked against each other.

asn_reputation_score

  • A measure of IPv4 addresses in a given ASN that have been listed on certain feeds (the score reflects volume rather than severity).
  • The ASN reputation score is calculated as a logarithmic ratio of listed vs. active IPv4 addresses in the ASN, where an active IPv4 address is any IP with a current A record in Silent Push Passive DNS.

asn_takedown_reputation_score

  • A measure of how long it takes for malicious URLs to be taken down by the ISP abuse desk.
  • Silent Push only count URLs that have a minimum age of X days and the aggregation is the number of items/URLs listed. The total count of items listed is then compared to the total number of IPs in the ASN using a specific formula. All ASNs with listings are ranked against each other

ip_is_dsl_dynamic_score

  • This score returns 100 if the IPv4 address is part of dynamically allocated/residential IP space.
  • The ip_is_dsl_dynamic_score is scored in addition to the ip_is_dsl_dynamic flag

listing_score

  • Shows if an IPv4 address has previously been seen on a selection of highly trusted threat intelligence feeds.
  • The score is graded based on recency and frequency of prior listings

subnet_reputation_score

  • A measure of IPv4 addresses in a given subnet that have been listed on certain feeds.
  • The score reflects volume rather than severity.
  • The reputation score is calculated as a logarithmic ratio of listed vs active IPv4 addresses in the subnet, where an active IPv4 address is any IP with a current A record in Silent Push Passive DNS

ip_reputation_score

  • The number of A records resolving to this IPv4 address that have been listed on certain feeds.
  • The score reflects volume rather than severity.
  • The reputation score is calculated as a logarithmic ratio of listed names (A records) vs all active A records resolving to this IPv4 address, where an active A record is any current A record in Silent Push Passive DNS

sp_risk_score

  • The Silent Push Risk Score provides an at-a-glance assessment of the risk associated with this IPv4 address.
  • An IPs sp_risk_score is equal to the highest of the following scores, but will be reduced to 0 if any of these flags is true: known_benign, known_sinkhole_ip:
    • ip_reputation
    • subnet_reputation
    • asn_reputation
    • asn_takedown_reputation
    • asn_rank
    • listing_score