Endpoint: /search-by-ip
Required Permissions: search-by-ip
The IP/CIDR Search endpoint allows you to search for compromises associated with specific IP addresses or CIDR ranges. This endpoint is crucial for identifying compromises within your network infrastructure or investigating specific IP-based incidents.
Monitor corporate network compromises
Investigate security incidents
Track compromises across IP ranges
Identify affected infrastructure
Analyze remote work exposure
JSON
{
"ips": [
"67.181.31.229",
"187.156.204.104"
],
"sort_by": "date_compromised",
"sort_direction": "desc",
"filter_credentials": true,
"start_date": "2024-01-01T00:00:00Z",
"end_date": "2024-12-31T23:59:59Z"
}JSON
{
"cidr": "45.166.26.62/28",
"sort_by": "date_compromised",
"sort_direction": "desc",
"filter_credentials": true,
"start_date": "2024-01-01T00:00:00Z",
"end_date": "2024-12-31T23:59:59Z"
}Parameter Type Description Constraints ips array[string] List of IP addresses 1-50 IPs, IPv4/IPv6 format cidr string CIDR range Valid CIDR 21-32
Parameter Type Default Description sort_by string "date_compromised" Sort results by "date_compromised" or "date_uploaded" sort_direction string "desc" Sort direction: "asc" or "desc" filter_credentials boolean true Return only matched credentials start_date datetime null Filter results after this date end_date datetime null Filter results before this date
JSON
{
"data": [
{
"stealer": "string",
"date_compromised": "2024-02-27T10:53:48.989Z",
"date_uploaded": "2024-02-27T10:53:48.989Z",
"stealer_family": "string",
"ip": "string",
"computer_name": "string",
"operating_system": "string",
"credentials": [
{
"url": "string",
"domain": "string",
"username": "string",
"password": "string",
"type": "employee"
}
]
}
],
"nextCursor": "base64_encoded_cursor"
}
Use IPv4/IPv6 format only
Validate IP addresses before sending
Remove duplicates
Consider private vs public IPs
Use appropriate subnet sizes (/21-/32)
Consider network boundaries
Split large ranges into smaller chunks
Monitor response times for large ranges
Python
async def search_ips(ips):
return await api.post('/search-by-ip', {
'ips': ips,
'sort_by': 'date_compromised',
'sort_direction': 'desc'
})
Python
async def search_cidr(cidr_range):
return await api.post('/search-by-ip', {
'cidr': cidr_range,
'filter_credentials': True
})
Python
async def get_all_results(ips=None, cidr=None):
cursor = None
results = []
while True:
payload = {'cursor': cursor}
if ips:
payload['ips'] = ips
if cidr:
payload['cidr'] = cidr
response = await api.post('/search-by-ip', payload)
results.extend(response.data)
if not response.nextCursor:
break
cursor = response.nextCursor
return results
Status Cause Solution 400 Invalid IP format Validate IP format 400 Invalid CIDR range Check CIDR notation 400 Too many IPs Reduce batch size to ≤50 408 Request timeout Reduce CIDR range size
Validate IP format
Check CIDR range boundaries
Sanitize inputs
Validate network ownership
Monitor sensitive IP ranges
Track changes over time
Alert on critical infrastructure
Document searched ranges
Encrypt sensitive data
Implement access controls
Log search patterns
Set retention policies
Start with smaller ranges
Split large ranges
Cache frequent searches
Monitor timeouts
Group related IPs
Implement rate limiting
Use pagination
Handle partial results
Monitor key IP ranges
Track compromise patterns
Alert on new findings
Monitor search volumes
Group related compromises
Track temporal patterns
Identify attack patterns
Monitor credential exposure
Forward results to SIEM
Correlate with other data
Create alerts
Track incidents
Schedule regular scans
Automate responses
Update IP inventories
Generate reports
Document searches
Track sensitive assets
Maintain audit logs
Report on findings
