Threat Detection

Arxignis provides comprehensive threat detection capabilities that identify and analyze security threats in real-time using threat intelligence data and IP analysis.

Overview

Our threat detection system provides:

IP-based threat analysis - Real-time threat scoring for IP addresses
Threat intelligence integration - Access to comprehensive threat databases
Geographic context - Country and ASN information for threat context
Caching and performance - Optimized for high-throughput analysis

API Endpoint

Threat Analysis by IP

Analyze an IP address for threat intelligence and risk assessment.

GET /v1/threat?ip=57.141.0.51

Parameters:

ip (query, required): IP address to analyze (IPv4 or IPv6)

Example Request:

curl -H "Authorization: Bearer YOUR_API_KEY" \
  "https://api.arxignis.com/v1/threat?ip=57.141.0.51"

Response Format

Successful Analysis

{
  "schema_version": "1.0",
  "tenant_id": "public",
  "ip": "57.141.0.51",
  "intel": {
    "score": 85,
    "confidence": 0.85,
    "score_version": "2025-09-01",
    "categories": ["malware", "botnet", "suspicious"],
    "tags": ["default"],
    "first_seen": "2024-01-15T10:30:00Z",
    "last_seen": "2024-12-01T14:22:00Z",
    "source_count": 3,
    "reason_code": "MALWARE_DETECTED",
    "reason_summary": "IP associated with malware distribution",
    "rule_id": "malware_rule_001"
  },
  "context": {
    "asn": 64500,
    "org": "Example ISP",
    "ip_version": 4,
    "geo": {
      "country": "US"
    }
  },
  "advice": "block",
  "ttls": 3600,
  "generated_at": "2024-12-01T15:30:00Z"
}

No Threat Data Found

{
  "schema_version": "1.0",
  "tenant_id": "public",
  "ip": "8.8.8.8",
  "intel": {
    "score": 0,
    "confidence": 0.0,
    "score_version": "2025-09-01",
    "categories": [],
    "tags": [],
    "first_seen": "",
    "last_seen": "",
    "source_count": 0,
    "reason_code": "NO_DATA",
    "reason_summary": "No threat data available",
    "rule_id": "none"
  },
  "context": {
    "asn": 15169,
    "org": "Google LLC",
    "ip_version": 4,
    "geo": {
      "country": "US"
    }
  },
  "advice": "allow",
  "ttls": 60,
  "generated_at": "2024-12-01T15:30:00Z"
}

Response Fields

Intel Section

Field	Type	Description
`score`	integer	Threat score (0-100)
`confidence`	float	Confidence level (0.0-1.0)
`score_version`	string	Version of scoring algorithm
`categories`	array	Threat categories (malware, botnet, etc.)
`tags`	array	Additional threat tags
`first_seen`	string	First time this IP was seen (RFC3339)
`last_seen`	string	Last time this IP was seen (RFC3339)
`source_count`	integer	Number of threat intelligence sources
`reason_code`	string	Machine-readable reason code
`reason_summary`	string	Human-readable reason description
`rule_id`	string	ID of the rule that triggered the detection

Context Section

Field	Type	Description
`asn`	integer	Autonomous System Number
`org`	string	Organization name
`ip_version`	integer	IP version (4 or 6)
`geo.country`	string	Country code (ISO 3166-1 alpha-2)

Action Fields

Field	Type	Description
`advice`	string	Recommended action: "allow", "block", "challenge"
`ttls`	integer	Time to live in seconds
`generated_at`	string	Response generation timestamp (RFC3339)

Threat Categories

Common threat categories returned in the categories field:

malware - Malware distribution or command & control
botnet - Botnet participation
suspicious - Suspicious activity patterns
phishing - Phishing infrastructure
spam - Spam source
scanner - Port scanning activity
proxy - Open proxy or VPN
tor - Tor exit node

Response Actions

Allow

{
  "advice": "allow",
  "ttls": 60
}

No action required, allow the request to proceed.

Block

{
  "advice": "block",
  "ttls": 3600
}

Block the IP address for the specified TTL period.

Challenge

{
  "advice": "challenge",
  "ttls": 300
}

Present a challenge (CAPTCHA) to verify the request.

Error Responses

400 Bad Request - Missing IP

{
  "success": false,
  "error": "Missing IP address parameter",
  "details": {
    "required_param": "ip",
    "example": "/v1/threat?ip=192.168.1.1"
  }
}

400 Bad Request - Invalid IP Format

{
  "success": false,
  "error": "Invalid IP address format",
  "details": {
    "ip": "invalid-ip",
    "parse_error": "invalid IP address format"
  }
}

405 Method Not Allowed

{
  "success": false,
  "error": "Method not allowed",
  "details": {
    "method": "POST",
    "allowed_methods": ["GET"]
  }
}

Performance Considerations

Response time: Typically < 100ms for cached results
Rate limiting: Subject to API rate limits
Caching: Results are cached to improve performance
Memory optimization: Uses in-memory cache for frequent lookups

Best Practices

Cache responses - Threat data doesn't change frequently - 5-10 minutes
Handle errors gracefully - Default to allow on API errors
Monitor performance - Track response times and cache hit rates
Use appropriate TTLs - Respect the ttls field for caching
Log decisions - Record threat analysis results for auditing

Overview​

API Endpoint​

Threat Analysis by IP​

Response Format​

Successful Analysis​

No Threat Data Found​

Response Fields​

Intel Section​

Context Section​

Action Fields​

Threat Categories​

Response Actions​

Allow​

Block​

Challenge​

Error Responses​

400 Bad Request - Missing IP​

400 Bad Request - Invalid IP Format​

405 Method Not Allowed​

Performance Considerations​

Best Practices​