LEGIT User Guide

Everything you need to know about Legit - Lookup Explanation for Geniune IP Threats. It’s free for use over the web - Happy days right there

Figure 1, “Legit Features”

Simple to Use

In the search bar, type in your IP address of interest and hit enter or search. This will return information on the IP Address if found or no data found for the IP Address in question or an error. Errors are if you enter invalid addresses such as non-routable addresses such as, multicast addresses, or localhost.

Beside the search bar is a copy button that you can copy this URL and send this information to your colleague to see what you see about this IP Address.


Status Block

It will have whether the current address is blocked or not, which attacks has it seen, how many feeds have it as blocked, how many feeds were found, when it was first seen and when it was last seen as well as information on how many records are in this list.

GeoIP Block

This gives the GEO IP address information with a link to a possible area for this map.

IP Threat History

This is the feed history for when the IP Address in question appears.


This shows when the IP Address in question has been added and removed from the different feeds over time.

How to use Legit in an incident

In incidents, there are many times where you have a list of IP addresses, and you are determining if any of them are points of interest. With Legit, you can match these IP Addresses and see if there were similar types of attacks at that same time period from that IP Address, or conversely, it’s not in the list, and help you decide the other way.

This is another nugget of information to the SOC Analysts arsenal. The key for Legit is the ability to back a long time instead of the current status. Most APT can be found over 267 or more depending on the document you read, so having an up to six-year history could really help you out.