LEGIT User Guide

Everything you need to know about Legit - Lookup Explanation for Genuine IP Threats. It’s free to use over the web. - Happy days right there

Figure 1, “Legit Features”

Simple to Use

In the search bar, type in your IP address of interest and hit enter or search. This will return information on the IP Address if found or no data is found for the IP Address in question or an error. Errors are if you enter invalid addresses such as non-routable addresses such as, multicast addresses, or localhost.

Beside the search bar is a copy button to copy this URL and send this information to your colleague to see what you see about this IP Address.


Status Block

It will have whether the current address is blocked or not, which attacks it had seen, how many feeds have it as blocked, how many feeds were found, when it was first seen and when it was last seen, as well as information on how many records are in this list.

GeoIP Block

This gives the GEO IP address information with a link to a possible area for this map.

IP Threat History

This is the feed history for when the IP Address in question appears.


This shows when the IP address has been added and removed from the different feeds over time.

How to use Legit in an incident

In incidents, there are many times where you have a list of IP addresses, and you are determining if any of them are points of interest. With Legit, you can match these IP Addresses and see if there were similar types of attacks at that same time period from that IP Address, or conversely, it’s not in the list, and help you decide the other way.

This is another nugget of information to the SOC Analysts' arsenal. The key to Legit is the ability to look back a long time instead of only the current status. Most APT are found in logs over 267 days ago, so having an up to eight-year history could help.