Skip to content

Threat Lookup

The zone's Threats page is an investigation tool for your zone's security layer. It surfaces active security decisions, scenario hits, and IP reputation over a rolling 24-hour window, so you can understand exactly why a given IP is -- or isn't -- being blocked, and act on it.

The Threats page: look up the current security decision for an IP.The Threats page: look up the current security decision for an IP.
The Threats page: look up the current security decision for an IP.

Overview

Threat Lookup answers a single, common question: what does smoxy currently think about this IP address, and why? Rather than guessing from access logs, you enter an IP and get the active decision, the data behind it, and the recent security events that led there -- all in one place.

It is an observability and investigation tool. It does not change how traffic is handled on its own; it shows you the current state and lets you take direct action when you decide to.


Looking Up an IP

Enter an IP address and look it up. smoxy returns everything it knows about that address for this zone:

SectionWhat it shows
Threat scoreA 0–100 gauge summarizing how risky the IP is currently considered
Current decisionThe active action, its source, score, and remaining time-to-live
Network infoWhere the IP is and who it belongs to
Scenario timelineThe security-scenario events recorded for this IP in the last 24 hours

If there is no active decision for the IP, the lookup still shows its network info and any recent scenario activity -- useful for confirming that an address is not currently being acted on.


Threat Score

The threat score is a 0–100 gauge that summarizes the IP's current risk level for this zone. Higher scores indicate riskier behavior. The score reflects recent scenario activity and reputation data within the rolling 24-hour window, so it rises as malicious behavior accumulates and decays as the IP goes quiet.


Current Decision

When an IP is actively being blocked or challenged, the lookup shows the decision in effect:

FieldDescription
SourceWhere the decision comes from (see below)
Current actionWhat smoxy is doing with the IP - for example block, challenge, or monitor
ScoreThe score associated with the active decision
TTL remainingHow long the decision stays in effect - shown as Expires in / time remaining
The decision panel: the threat-score gauge, the active decision, and the Force block / Challenge actions.The decision panel: the threat-score gauge, the active decision, and the Force block / Challenge actions.
The decision panel: the threat-score gauge, the active decision, and the Force block / Challenge actions.

Where a Decision Comes From

The Source tells you which list or signal produced the active decision:

SourceMeaning
Zone blocklistThe IP is on this zone's own blocklist (shown as "zone")
Global blocklistThe IP is on smoxy's global blocklist, maintained across all zones (shown as "global blocklist")
Global reputationsmoxy's global reputation data currently flags this IP (shown as "global")

When no decision source applies, a dash (-) is shown instead.

INFO

Note: Decisions sourced from the global blocklist or global reputation are managed by smoxy across all zones. To change how a specific IP is treated for your zone, use the zone's own Blocklist & Allowlist.


Network Info

The lookup enriches the IP with network and geolocation details to help you identify the source:

FieldDescription
IP addressThe address you looked up
CountryCountry the IP is associated with
Provider (ASN)The network operator / autonomous system
City / RegionMore precise location, when available
CoordinatesApproximate latitude and longitude
The Network Info card: geolocation and network operator for the looked-up IP.The Network Info card: geolocation and network operator for the looked-up IP.
The Network Info card: geolocation and network operator for the looked-up IP.

Scenario Timeline

The scenario timeline lists the security-scenario events recorded for this IP within the 24-hour window. Each row shows how a managed security scenario reacted to the IP's behavior and how that moved its score:

ColumnDescription
TimeWhen the event was recorded
ScenarioThe name of the managed security scenario that fired
DeltaThe score change the event applied (positive raises the score)
ScoreThe resulting score after applying the delta
ActionThe action associated with the event

Reading the timeline from top to bottom shows how an IP earned its current score -- which scenarios fired, how much each contributed, and when.

The scenario timeline: the security-scenario events that shaped the IP's score.The scenario timeline: the security-scenario events that shaped the IP's score.
The scenario timeline: the security-scenario events that shaped the IP's score.

TIP

Scenarios are smoxy's curated detection rules that watch live traffic for specific attack behavior. For what they are and how to manage them, see Managed Security Scenarios.


Taking Action on an IP

From a lookup you can act on the IP directly:

ActionEffect
Force blockBlock the IP for this zone, regardless of its score
ChallengeRequire the IP to pass a challenge before its requests are served

Both actions create or update an entry in the zone's blocklist. This makes Threat Lookup the natural place to escalate from investigating an IP to acting on it. To review or remove these entries afterwards, see Blocklist & Allowlist.


Important Considerations

  • 24-hour window: Threat scores and the scenario timeline cover a rolling 24-hour period. Older activity ages out and stops contributing to the score.
  • Decision vs. score: A high score does not always mean the IP is currently blocked -- the Current decision section is what tells you whether an action is in effect right now.
  • Zone vs. global: Decisions can originate from your zone's lists or from smoxy's global blocklist and reputation. You can only edit your zone's lists; global lists are maintained by smoxy.
  • Acting creates a list entry: Force block and Challenge write to the zone blocklist. Manage those entries on the Blocklist & Allowlist page.