AbuseIPDB
This Integration is part of the AbuseIPDB Pack.#
Use the AbuseIPDB integration to report and identify IP addresses that have been associated with malicious activity online.
Use Cases
Check, Report, and get block list of top malicious IPs.
Configure AbuseIPDB on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for AbuseIPDB.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- API Key (v2).
- Source Reliability : Reliability of the source providing the intelligence data.
- IP Threshold. Minimum score from AbuseIPDB analysis to consider the IP malicious. (>20).
- Max reports age.
- Disable reputation lookups for private IP addresses : To reduce the number of lookups made to the AbuseIPDB API.
- Disregard quota errors.
- Click Test to validate the API Key, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check if an IP address is in the AbuseIP database: ip
- Query a block of IP addresses: abuseipdb-check-cidr-block
- Report an IP address: abuseipdb-report-ip
- Get a list of the most reported IP addresses: abuseipdb-get-blacklist
- Get a list of report categories: abuseipdb-get-categories
1. Check if an IP address is in the AbuseIP database
Checks the specified IP address against the AbuseIP database.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | IP address to check | Required |
| days | Time range to return reports for (in days), default is 30 | Optional |
| verbose | Report length, "true" returns the full report, "false" does not return reported categories, default is "true" | Optional |
| threshold | Minimum score from AbuseIPDB to consider the IP malicious (must be greater than 20), default is 80 | Optional |
| override_private_lookup | Enrichment of private IP addresses will be conducted even if it has been disabled at the integration level, default is "false" | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| AbuseIPDB.IP.Address | unknown | IP address |
| AbuseIPDB.IP.AbuseConfidenceScore | unknown | Confidence score fetched from AbuseIPDB |
| AbuseIPDB.IP.TotalReports | unknown | The number of times this address has been reported |
| AbuseIPDB.IP.Geo.Country | String | Country associated with this IP Address |
| AbuseIPDB.IP.Geo.CountryCode | String | Country code associated with this IP Address |
| AbuseIPDB.IP.Hostnames | String | The hostame(s) of the IP address. |
| AbuseIPDB.IP.IpVersion | String | The version of the IP address. |
| AbuseIPDB.IP.IsPublic | String | Is the IP address public. |
| AbuseIPDB.IP.IsTor | String | Is the IP address a Tor IP. |
| AbuseIPDB.IP.IsWhitelisted | String | Is the IP address whitelisted. |
| AbuseIPDB.IP.LastReportedAt | String | When the IP address was last reported. |
| AbuseIPDB.IP.NumDistinctUsers | String | The distinct number of users. |
| AbuseIPDB.IP.Address.Reports | unknown | Reports summary (for "verbose" reports) |
| DBotScore.Score | unknown | Analysis score |
| DBotScore.Vendor | unknown | Vendor name (AbuseIPDB) |
| DBotScore.Indicator | unknown | The IP address |
| DBotScore.Type | unknown | The type (ip) |
| AbuseIPDB.IP.Malicious.Vendor | unknown | The vendor that determined this IP address to be malicious |
| AbuseIPDB.IP.Malicious.Detections | unknown | The Detections that led to the verdict |
| AbuseIPDB.IP.UsageType | String | Usage type of the IP. |
| AbuseIPDB.IP.Domain | String | Domain of the IP. |
Command Example
!ip ip=8.8.8.8 days=30 verbose=true
Context Example
Human Readable Output
2. Query a block of IP addresses
Queries a block of IPs to check against the database
Base Command
abuseipdb-check-cidr-block
Input
| Argument Name | Description | Required |
|---|---|---|
| network | IPv4 Address Block in CIDR notation. | Required |
| days | Time range to return reports for (in days), default is 30 | Optional |
| limit | Maximum number of IPs to check, default is 40 | Optional |
| threshold | Minimum score from AbuseIPDB to consider the IP malicious (must be greater than 20), default is 80 | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| AbuseIPDB.IP.Address | unknown | IP address |
| AbuseIPDB.IP.AbuseConfidenceScore | unknown | Confidence score fetched from AbuseIPDB |
| AbuseIPDB.IP.Geo.Country | String | Country associated with this IP Address |
| AbuseIPDB.IP.Geo.CountryCode | String | Country code associated with this IP Address |
| AbuseIPDB.IP.Hostnames | String | The hostame(s) of the IP address. |
| AbuseIPDB.IP.IpVersion | String | The version of the IP address. |
| AbuseIPDB.IP.IsPublic | String | Is the IP address public. |
| AbuseIPDB.IP.IsTor | String | Is the IP address a Tor IP. |
| AbuseIPDB.IP.IsWhitelisted | String | Is the IP address whitelisted. |
| AbuseIPDB.IP.LastReportedAt | String | When the IP address was last reported. |
| AbuseIPDB.IP.NumDistinctUsers | String | The distinct number of users. |
| AbuseIPDB.IP.TotalReports | unknown | The number of times this address has been reported |
| DBotScore.Score | unknown | Analysis score |
| DBotScore.Vendor | unknown | Vendor name (AbuseIPDB) |
| DBotScore.Indicator | unknown | The IP address |
| DBotScore.Type | unknown | The type (ip) |
| AbuseIPDB.IP.Malicious.Vendor | unknown | The vendor that determined this IP address to be malicious |
| AbuseIPDB.IP.Malicious.Detections | unknown | The Detections that led to the verdict |
| AbuseIPDB.IP.UsageType | String | Usage type of the IP. |
| AbuseIPDB.IP.Domain | String | Domain of the IP. |
Command Example
!abuseipdb-check-cidr-block network="127.0.0.2/24" days="30" limit="40" threshold="80"
Human Readable Output
3. Report an IP address
Report an IP address to AbuseIPDB
Base Command
abuseipdb-report-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to report | Required |
| categories | CSV list of category IDs (numerical representation or in their name) | Required |
Context Output
There is no context output for this command.
Command Example
!abuseipdb-report-ip ip=8.8.8.8 categories="18,22,23"
Human Readable Output
4. Get a list of the most reported IP addresses
Returns a list of the most reported IP addresses
Base Command
abuseipdb-get-blacklist
Input
| Argument Name | Description | Required |
|---|---|---|
| days | Time range to return reports for (in days), default is 30 | Optional |
| limit | Maximum number of IPs to retrieve, default is 50 | Optional |
| confidence | The Minimum confidence required for the retrieved IPs. Default is 100 | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| AbuseIPDB.Blacklist | unknown | List of IPs on block list |
Command Example
!abuseipdb-get-blacklist days=30 limit=5
Context Example
Human Readable Output
5. Get a list of report categories
Returns a list of report categories from AbuseIPDB
Base Command
abuseipdb-get-categories
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| AbuseIPDB.Categories | string | List of AbuseIPDB categories |
Command Example
!abuseipdb-get-categories
Human Readable Output
Additional Information
-
What is the "Confidence of Abuse" rating, and how is it calculated?
AbuseIPDB confidence of abuse is a rating (0-100) of how confident we are, based on user reports, that an IP address is completely malicious. A rating of 100 means we are certain that an IP address is malicious, and a rating of 0 means we have no reason to suspect it is malicious.