API Reference
Trust CenterTourStatusPageSupport
Start typing to search…

Network Intelligence APIs

The Stairwell Network Intelligence APIs provide programmatic access to the same deep infrastructure context used by Stairwell's internal analysis engines. These endpoints allow security teams to enrich indicators, pivot across network infrastructure, and normalize messy data—all without leaving their existing workflows.

Use these APIs to answer critical questions during an investigation: Who owns this IP? What other domains are hosted here? Is this a legitimate cloud service or a bulletproof host?

Core Capabilities

The Network Intelligence suite is organized into four primary categories:

1. ASN Intelligence

Understand the ownership and registration details of Autonomous Systems.

  • GetASNWhois: Retrieve detailed WHOIS records for a specific ASN to identify the organization responsible for the network.

2. IP Intelligence

Gain immediate context on IP addresses, including cloud provider attribution and infrastructure relationships.

  • Enrichment: Retrieve WHOIS data and metadata for specific IP addresses.
  • LookupCloudProvider: Automatically identify if an IP belongs to a known cloud provider (e.g., AWS, GCP, Azure) and retrieve the associated IP ranges.
  • Infrastructure Mapping: Determine which hostnames are currently resolving to a specific IP address using GetHostnamesResolvingToIP.

3. Hostname Intelligence

Pivot from domains to infrastructure to uncover related threats.

  • Resolution Data: Retrieve current and historical resolution data to see which IPs a hostname resolves to.
  • Batch Operations: Perform bulk lookups for hostname resolutions to enrich large sets of indicators efficiently.

4. Utilities & Normalization

Standardize your data to ensure consistent correlation and storage.

  • CanonicalizeURL: Convert URLs and hostnames into a consistent, comparable format by removing fragments, sorting parameters, and normalizing encoding.
  • eTLD+1 Computation: Automatically parse domains to determine their effective Top-Level Domain plus one (e.g., converting mail.google.co.uk to google.co.uk), essential for grouping related subdomains.

Common Use Cases

  • Automated Enrichment: Specific Cloud Provider lookups can be integrated into SOAR playbooks to automatically deprioritize alerts coming from your own authorized infrastructure or known benign cloud ranges.
  • Infrastructure Pivoting: Use GetHostnamesResolvingToIP to find all other domains hosted on a suspicious IP, potentially uncovering a wider attacker campaign.
  • Data Hygiene: Use Canonicalize endpoints to ensure that your threat intelligence platform (TIP) doesn't store http://example.com and example.com as two separate entities.