https://github.com/checkpointsw/reputation-service-api
Leverage the Check Point’s threat intelligence to enrich your SIEM and SOAR solutions and to secure your business applications and websites by using simple RESTful APIs.
https://github.com/checkpointsw/reputation-service-api
reputation-service
Last synced: 4 months ago
JSON representation
Leverage the Check Point’s threat intelligence to enrich your SIEM and SOAR solutions and to secure your business applications and websites by using simple RESTful APIs.
- Host: GitHub
- URL: https://github.com/checkpointsw/reputation-service-api
- Owner: CheckPointSW
- Created: 2020-01-06T12:34:23.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2025-07-13T14:05:47.000Z (6 months ago)
- Last Synced: 2025-07-13T14:38:34.024Z (6 months ago)
- Topics: reputation-service
- Language: Java
- Homepage: https://app.swaggerhub.com/apis-docs/Check-Point/reputation-service/
- Size: 2.36 MB
- Stars: 28
- Watchers: 7
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Check Point Reputation Service API
- [What can you expect to get from the APIs](#what-can-you-expect-to-get-from-the-apis)
- [Getting Started with the Reputation Service API](#getting-started-with-the-reputation-service-api)
- [Get your API Key from us](#get-your-api-key)
- [Swagger - for easy API usage and reference](#swagger)
- [How to generate an authentication token?](#authentication)
- [The services APIs](#the-services-apis)
- [Response](#response)
- [Response Status Codes](#response-status-codes)
## **Overview**
Leverage **Check Point’s** threat intelligence to enrich your SIEM and SOAR solutions, and secure your business applications and websites using simple RESTful APIs.
**Check Point's Reputation Service API** offers the following capabilities:
- [**URL Reputation**](#url-reputation-service) - Returns the classification and associated risk of accessing a given **domain or URL**.
- [**File Reputation**](#file-reputation-service) - Returns the risk level of downloading a file based on its **hash (MD5/SHA1/SHA256)**.
- [**IP Reputation**](#ip-reputation-service) - Returns the classification and associated risk of accessing a resource hosted on a given **IP address**.
## What can you expect to get from the APIs
An important field from the response is the assessed risk of accessing the queried resource.
Each risk (0-100) is accompanied with the **Confidence** and the **Severity**, and our **Recommended Action**.
**Risk Threshold Guide**
| **Risk Range** | **Description** | **Confidence** | **Severity** | **Recommended Action** |
| -------------- | ------------------------------------------------------------------------------------ | --------------- | ------------- | ----------------------- |
| Risk=0 | Indications of a legit website. | High | N/A | Allow list |
| Risk=34 | The service couldn't classify the domain. not enough data for this resource. | Low/Medium/High | Low/Medium | N/A |
| Risk=50 | Anonymizers, hosting and parked websites, Unknown files. | Medium/High | Medium | N/A |
| Risk=64 | Browsing to the resource should be done with extra caution. | Low | High/Critical | Caution |
| Risk=80 | There are circumstantial evidences that ties the resource to malicious activity. | Medium | High/Critical | Block |
| Risk=100 | Known malicious resource by at least one trusted vendors. | High | High/Critical | Block |
Further context details like **Classification**, **Categories**, **Popularity** and more can be found in the full json [Response](#response).
Expect different fields corresponding to the service type you choose (URL / IP / FILE).
## Getting Started with the Reputation Service API
### Get your API Key
To get started with the APIs, please [contact us](mailto:TCAPI_SUPPORT@checkpoint.com).
We will provide you with a trial API key along with a daily quota. If you exceed your quota, the API will return a 429 (Too Many Requests) status code.
## Swagger
Check out our [Swagger UI](https://app.swaggerhub.com/apis-docs/Check-Point/reputation-service/) to easily explore and use the API.
## Authentication
### **Rep-Auth Service**
Authentication to the reputation service is aquired using a token generated by the **rep-auth** service.
* The token expires after one week, to renew the authentication - send a new token request.
* A token should look like this: `exp=1578566241~acl=/*~hmac=95add7c04faa2e7831b451fd45503e4a2ac0598c7e84a5ace7dd611d7b483e5f`
#### **How to generate a token**?
To generate a token, send an **HTTPS GET** request to the following endpoint:
* Include the Client-Key header with your trial API key in your request.
* If the header is missing or invalid, the server will respond with an **HTTP 401 Unauthorized** status code.
**How do I know that the token has expired?**
If your token has expired, the service will respond with an **HTTP 403 Forbidden** status code.
## The services APIs
### **URL Reputation Service**
#### Request
Send an **HTTPS POST** request to the following endpoint: https://rep.checkpoint.com/url-rep/service/v3.0/query?resource={url}
Request headers:
- "Client-Key": Your trial API key.
- "token": the token you have received from the rep-auth service.
Request body, use JSON format:
```js
{
"request": [{
"resource": "{url}"
}]
}
```
| **Parameter Name** | **Type** | **is Optional** | **Description** |
| ------------------ | -------- | --------------- | ------------------------------ |
| resource | String | No | the URL to query about |
#### **URL classifications**
| **Classification** | **Description** | **Severity** |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
| Adware | A website that operates in legal gray areas by collecting users’ private data without clear consent, displaying unwanted or intrusive content (such as pop-up ads), or embedding sub-applications that initiate unsolicited downloads. Visit [Checkpoint's blog: "What is Adware?" for further education](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-adware/) | Low |
| Volatile Website | A website that contains malicious software, for example: hacking websites. | Medium |
| Benign | A legit website, which don't serve any malicious purpose. | N/A |
| CnC Server | A C&C server is used by attackers to issue commands to, and receive data from, malware-infected devices (also known as bots or zombies). | Critical |
| Compromised Website | A Legit website that was hacked and now serves a malicious purpose. | High |
| Phishing | A website that attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity, like a known company. Learn more at [Phishing Attacks. How does it work?](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/) | High |
| Infecting Website | A website that may infect it’s visitors with malware. | High |
| Infecting URL | A URL that may infect it’s visitors with malware. | High |
| Web Hosting | A service that rents out server space to make websites accessible on the internet. | Medium |
| File Hosting | A service that rents out server space to make files accessible on the internet. | Medium |
| Parked | A website with no original content, often displaying ads. | Medium |
| Spam | The url is used for spam. | High |
| Cryptominer | The url is used for [cryptomining](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-crypto-malware/). | High |
| Web Service | The URL is part of a platform (Email/Marketing platform for example). | High |
| Malicious | Malicious websites, which serve for malicious purposes. | High |
| Unclassified | The service couldn't classify the domain. there is not enough data about this resource. | N/A |
### **File Reputation Service**
#### Request
Send an **HTTPS POST** request to the following endpoint:
Request headers:
- "Client-Key": Your trial API key.
- "token": the token you have received from the rep-auth service.
request body, use JSON format:
```js
{
"request": [{
"resource": "{file-hash}"
}]
}
```
| **Parameter Name** | **Type** | **Is Optional** | **Description** |
| ------------------ | -------- | --------------- | ---------------------------------------- |
| resource | String | No | SHA256 / MD5 / SHA1 of the file to query |
### **File classifications**
| **Classification** | **Description** | **Severity** |
| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
| Unclassified | The service couldn't classify the hash. there is not enough data about this hash. | N/A |
| Adware | Adware is a form of software that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user's knowledge or redirects search requests to advertising websites. | Low |
| Riskware | Riskware are legitimate programs that can cause damage when exploited by malicious users – in order to delete, block, modify, or copy data, and disrupt the performance of computers or networks.| Medium |
| Malware | A malicious file that can harm computers or networks. | High |
| Benign | A legitimate file safe to run or process. | Medium |
| Unknown | The service has never seen this file before. | N/A |
| Spam | The file is used for spam. | High |
| Cryptominer | The file is used for cryptomining. | High |
| Phishing | File that attempt to obtain sensitive information such as usernames, passwords, and credit card details. | High |
### **IP Reputation Service**
#### Request
Send an **HTTPS POST** request to the following endpoint: https://rep.checkpoint.com/ip-rep/service/v3.0/query?resource={ip}
Request headers:
- "Client-Key": Your trial API key.
- "token": the token you have received from the rep-auth service.
request body, use JSON format:
```js
{
"request": [{
"resource": "{ip}"
}]
}
```
| **Parameter Name** | **Type** | **Is Optional** | **Description** |
| ------------------ | -------- | --------------- | --------------- |
| resource | String | No | The IP to query |
### **IP classifications**
| **Classification** | **Description** | **Severity** |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
| Unclassified | The service couldn't classify the IP. there is not enough data about this IP. | N/A |
| Adware | The IP's domains are operating in the gray areas of the law collecting private data on the users and display unwanted content. | Low |
| Volatile | The IP's domains contain malicious software, for example hacking websites. | Medium |
| Benign | A legit IP, which doesn't serve any malicious purpose. | N/A |
| CnC Server | A Command and Control server used for cummunicating with malware. | Critical |
| Compromised Server | A legit IP that was hacked and now serves a malicious purpose. | High |
| Phishing | The IP's domains attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity like a known company. | High |
| Infection Source | The IP's domains may infect its visitors with malware. | High |
| Web Hosting | The IP's domains allow to rent server space to make websites accessible on the internet. | Medium |
| File Hosting | The IP's domains allow to renter server space to make files accessible on the internet. | Medium |
| Parked | The IP's domains permanently do not have content. it may contain advertising content on pages that have been registered but do not yet have original content. | Medium |
| Scanner | The IP is a known internet scanner. | Medium |
| Anonymiser | The IP is a known TOR anonymity internet. | Medium |
| Cryptominer | The IP's domains are used for cryptomining. | High |
| Spam | The IP's domains are used for spam. | High |
| Compromised Host | The IP belongs to a website which was hacked. | Medium |
## **Response**
Attribute Name
Type
Description
Inner Attribute
Inner Attribute Description
status
Object
Reflect the application status
code
label
message
code: 2001
label: SUCCESS
message: Succeeded to generate reputation
code: 2006
label: PARTIAL_SUCCESS
message: Some vendors are unavailable
resource
String
The URL from the request
reputation
Object
Reputation meta-data
classification
severity
The severity of the classification.
Possible values:
- N/A
- Low
- Medium
- High
- Critical
confidence
How much the service is confident with the reputation response.
Possible values:
- N/A
- Low
- Medium
- High
### **Response Status Codes**
| **HTTP Response Code** | **Description** |
| ---------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| 200 | OK |
| 400 | Bad request - either the resource is not valid or the request parameter doesn't match the resource in the request body |
| 401 | Bad or missing "Client-Key" header |
| 403 | Bad or missing "token" header |