For calling the Riskfort API for the request we got the response in the untrusted IP as Y. We would like know what is the logic(query) beyond untrusted IP as Y for the below response, because when checked in the untrusted IP table we are not seeing the IP.

SELECT * FROM ARRFUNTRUSTEDIPLIST where IPADDRESS <= ip2int('x.x.x.x') AND ENDIPADDRESS >= ip2int('x.x.x.x');

EvaluateRisk: Received evaluateRisk response from the server.

2023-05-03 09:13:47,732 [[ACTIVE] ExecuteThread: '18' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG arcot.riskfortAPI.RiskXActionAPI(250) [] -> evaluateRisk: Response Packet [<POLICYSERVERDOC DATATYPE="XML"><POLICYRES><MESSAGEID>0</MESSAGEID><RULEANNOTATION>USERKNOWN=Y;UNTRUSTEDIP=Y;TRUSTEDIP=N;NEGATIVECOUNTRY=N;EXCEPTION=N;DEVICEIDCHECK=N;USERVELOCITY=N;DEVICEVELOCITY=N;USER_DEVICE_ASSOCIATED_AND_DEVICE_MFP_MATCHED=N;USER_DEVICE_NOT_ASSOCIATED_AND_DEVICE_MFP_MATCHED=N;USER_DEVICE_ASSOCIATED_AND_DEVICE_MFP_NOT_MATCHED=N;USER_DEVICE_NOT_ASSOCIATED_AND_DEVICE_MFP_NOT_MATCHED=Y;</RULEANNOTATION><MATCHEDRULEMNEMONIC>UNTRUSTEDIP</MATCHEDRULEMNEMONIC></POLICYRES></POLICYSERVERDOC>]

Release : 9.1

Risk Authentication

IP address is part of the Anonymizer data under Private category which is considered Risky.

ARRFUNTRUSTEDIPLIST table contains the IP address which we upload manually if we want them to be blocked by the Risk Authentication. We have Neustar ( Third party Vendor) which supplies us Quova data, One part of the Quova data which gets uploaded in ARQGEOPOINT tables is related to geolocation data( Provides location where the transaction originated from) and another part is Anonymizer data to determine if their location information is reliable, Neustar performs rigorous testing of IP addresses. As part of this testing, Neustar identifies some IP addresses as "Anonymizers". These addresses have tested positive as anonymous proxies that are used to hide the true location of the end user. "Anonymizer" does not prove fraudulent intent, but it does indicate that the user is hiding their location. Therefore these addresses represent a high risk access potential. This link provides details about the Anonymizer data and this is configured through the Untrusted rule.
The IP address you provided is part of the 'PRIVATE' Anonymizer status which is risky so you see the UNTRUSTEDIP rule triggered. Below screen shots provides more context about the explanation I provided.