Skip to main content

CriminalIP

This Integration is part of the CriminalIP Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Criminal IP is a comprehensive cyber threat intelligence solution that provides actionable insights into IP addresses, domains, and connected assets across the internet. It enables organizations to detect malicious indicators, assess asset reputation, and enhance threat detection by integrating enriched threat data directly into security operations via the XSOAR interface.

This integration was integrated and tested with version 1.0.0 of CriminalIP.

Configure CriminalIP in Cortex#

ParameterDescriptionRequired
API KeyThe API Key to use for connectionFalse
Server URLThe base URL of the Criminal IP API.True
Trust any certificate (not secure)When set to true, SSL certificates will not be validated.False
Use system proxy settingsUse the system proxy settings to communicate with the API.False
Request timeout (seconds)Timeout for HTTP requests in seconds. Default is 30.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

criminal-ip-ip-report#

Provides detailed information about an IP address using Criminal IP's API.

Base Command#

criminal-ip-ip-report

Input#

Argument NameDescriptionRequired
ipThe IP address to search.Required

Context Output#

PathTypeDescription
CriminalIP.IP.IPStringQueried IP address.
CriminalIP.IP.InboundScoreStringInbound reputation score.
CriminalIP.IP.OutboundScoreStringOutbound reputation score.
CriminalIP.IP.IssuesStringDetected issues (VPN, Proxy, Tor, Hosting, Cloud, etc.)
CriminalIP.IP.ProtectedIPsNumberNumber of protected IPs related to this IP.
CriminalIP.IP.RelatedDomainsNumberNumber of domains related to this IP.
CriminalIP.IP.ASNNumberAutonomous System Number (ASN).
CriminalIP.IP.ASNameStringAutonomous System Name.
CriminalIP.IP.OrgStringOrganization name from Whois.
CriminalIP.IP.CountryStringCountry code from Whois.
CriminalIP.IP.HostnameStringResolved hostname.
CriminalIP.IP.OpenPortsNumberNumber of open ports detected.
CriminalIP.IP.ObservedPortNumberExample open port number.
CriminalIP.IP.ObservedServiceStringExample service detected on an open port.
CriminalIP.IP.VulnerabilitiesNumberNumber of vulnerabilities detected on the IP.
CriminalIP.IP.ObservedCVEStringExample CVE ID detected on the IP.
CriminalIP.IP.ObservedCVSSNumberExample CVSS v3 score of detected vulnerability.
CriminalIP.IP.rawUnknownFull raw response from CriminalIP API.

Example#

!criminal-ip-ip-report ip=8.8.8.8

criminal-ip-check-malicious-ip#

Determines whether an IP is malicious or safe through CriminalIP Asset Search.

Base Command#

criminal-ip-check-malicious-ip

Input#

Argument NameDescriptionRequired
ipIP Address to check.Required

Context Output#

PathTypeDescription
CriminalIP.Mal_IP.ipStringQueried IP address.
CriminalIP.Mal_IP.maliciousBooleanWhether the IP was detected as malicious.
CriminalIP.Mal_IP.real_ip_listUnknownList of real IPs if protected IP was detected.
CriminalIP.Mal_IP.rawUnknownFull raw response.

Example#

!criminal-ip-check-malicious-ip ip=192.168.1.1

criminal-ip-check-last-scan-date#

Checks if the domain has been scanned within the last 7 days.

Base Command#

criminal-ip-check-last-scan-date

Input#

Argument NameDescriptionRequired
domainThe domain to check last scan date for.Required

Context Output#

PathTypeDescription
CriminalIP.Scan_Date.domainStringQueried Domain.
CriminalIP.Scan_Date.scan_idStringThe last scan ID of the domain.
CriminalIP.Scan_Date.scannedBooleanWhether the domain was scanned within the last 7 days.
CriminalIP.Scan_Date.scan_dateStringThe last scan date in ISO format.
CriminalIP.Scan_Date.rawUnknownFull raw response from CriminalIP API.

Example#

!criminal-ip-check-last-scan-date domain=example.com

criminal-ip-domain-quick-scan#

Performs a Domain Quick Scan using CriminalIP's API.

Base Command#

criminal-ip-domain-quick-scan

Input#

Argument NameDescriptionRequired
domainThe domain to perform Quick Scan.Required

Context Output#

PathTypeDescription
CriminalIP.Domain_Quick.domainStringQueried Domain.
CriminalIP.Domain_Quick.reg_dtimeStringDomain registration time.
CriminalIP.Domain_Quick.resultStringQuick scan result string.
CriminalIP.Domain_Quick.typeStringDomain type classification.
CriminalIP.Domain_Quick.rawUnknownFull raw response.

Example#

!criminal-ip-domain-quick-scan domain=example.com

criminal-ip-domain-lite-scan#

Initiates a Domain Lite Scan and returns a scan_id.

Base Command#

criminal-ip-domain-lite-scan

Input#

Argument NameDescriptionRequired
domainThe domain to perform Lite Scan.Required

Context Output#

PathTypeDescription
CriminalIP.Domain_Lite.scan_idStringScan ID returned for Lite Scan.
CriminalIP.Domain_Lite.rawUnknownFull raw response.

Example#

!criminal-ip-domain-lite-scan domain=example.com

criminal-ip-domain-lite-scan-status#

Checks the progress of the Lite Scan.

Base Command#

criminal-ip-domain-lite-scan-status

Input#

Argument NameDescriptionRequired
scan_idThe scan_id whose Lite Scan progress to check.Required

Context Output#

PathTypeDescription
CriminalIP.Domain_Lite_Status.statusStringLite Scan status.
CriminalIP.Domain_Lite_Status.scan_percentageNumberScan percentage progress.
CriminalIP.Domain_Lite_Status.rawUnknownFull raw response.

Example#

!criminal-ip-domain-lite-scan-status scan_id=abc123def456

criminal-ip-domain-lite-scan-result#

Returns the Lite Scan results for the given scan_id.

Base Command#

criminal-ip-domain-lite-scan-result

Input#

Argument NameDescriptionRequired
scan_idThe scan_id whose Lite Scan result to fetch.Required

Context Output#

PathTypeDescription
CriminalIP.Domain_Lite_Result.domainStringQueried Domain.
CriminalIP.Domain_Lite_Result.createdStringDomain creation date.
CriminalIP.Domain_Lite_Result.registrarStringDomain registrar.
CriminalIP.Domain_Lite_Result.scoreStringDomain risk score.
CriminalIP.Domain_Lite_Result.report_timeStringReport generation time.
CriminalIP.Domain_Lite_Result.phishing_probNumberPhishing probability.
CriminalIP.Domain_Lite_Result.dga_scoreNumberDGA score.
CriminalIP.Domain_Lite_Result.abuse_criticalNumberCritical abuse record count.
CriminalIP.Domain_Lite_Result.abuse_dangerousNumberDangerous abuse record count.
CriminalIP.Domain_Lite_Result.a_recordsStringA records resolved.
CriminalIP.Domain_Lite_Result.ns_recordsStringNS records resolved.
CriminalIP.Domain_Lite_Result.mapped_ipsStringMapped IP list.
CriminalIP.Domain_Lite_Result.rawUnknownFull raw response.

Example#

!criminal-ip-domain-lite-scan-result scan_id=abc123def456

criminal-ip-domain-full-scan#

Initiates a Domain Full Scan and returns a scan_id.

Base Command#

criminal-ip-domain-full-scan

Input#

Argument NameDescriptionRequired
domainThe domain to perform Full Scan.Required

Context Output#

PathTypeDescription
CriminalIP.Full_Scan.scan_idStringScan ID returned for Full Scan.
CriminalIP.Full_Scan.rawUnknownFull raw response.

Example#

!criminal-ip-domain-full-scan domain=example.com

criminal-ip-domain-full-scan-status#

Checks the progress of the Full Scan.

Base Command#

criminal-ip-domain-full-scan-status

Input#

Argument NameDescriptionRequired
scan_idThe scan_id whose Full Scan status to check.Required

Context Output#

PathTypeDescription
CriminalIP.Full_Scan_Status.statusStringFull Scan status.
CriminalIP.Full_Scan_Status.scan_percentageNumberScan percentage progress.
CriminalIP.Full_Scan_Status.rawUnknownFull raw response.

Example#

!criminal-ip-domain-full-scan-status scan_id=xyz789abc123

criminal-ip-domain-full-scan-result#

Returns the Full Scan results for the given scan_id.

Base Command#

criminal-ip-domain-full-scan-result

Input#

Argument NameDescriptionRequired
scan_idThe scan_id whose Full Scan result to fetch.Required

Context Output#

PathTypeDescription
CriminalIP.Full_Scan_Result.domainStringQueried Domain.
CriminalIP.Full_Scan_Result.createdStringDomain creation date.
CriminalIP.Full_Scan_Result.registrarStringDomain registrar.
CriminalIP.Full_Scan_Result.scoreStringDomain risk score.
CriminalIP.Full_Scan_Result.report_timeStringReport generation time.
CriminalIP.Full_Scan_Result.phishing_probNumberPhishing probability.
CriminalIP.Full_Scan_Result.dga_scoreNumberDGA score.
CriminalIP.Full_Scan_Result.punycodeBooleanWhether punycode detected.
CriminalIP.Full_Scan_Result.fake_httpsBooleanWhether fake HTTPS detected.
CriminalIP.Full_Scan_Result.abuse_criticalNumberCritical abuse record count.
CriminalIP.Full_Scan_Result.abuse_dangerousNumberDangerous abuse record count.
CriminalIP.Full_Scan_Result.cert_valid_toStringCertificate valid until date.
CriminalIP.Full_Scan_Result.connected_ipsStringConnected IP list.
CriminalIP.Full_Scan_Result.ssl_vulnsStringSSL vulnerabilities detected.
CriminalIP.Full_Scan_Result.rawUnknownFull raw response.

Example#

!criminal-ip-domain-full-scan-result scan_id=xyz789abc123

criminal-ip-domain-full-scan-make-email-body#

Builds an email body summarizing notable findings from a completed Full Scan.

Base Command#

criminal-ip-domain-full-scan-make-email-body

Input#

Argument NameDescriptionRequired
scan_idThe scan_id of the completed Full Scan.Required
domainThe domain of the completed Full Scan.Required

Context Output#

PathTypeDescription
CriminalIP.Email_Body.domainStringDomain analyzed.
CriminalIP.Email_Body.scan_idStringScan ID used for generating the email body.
CriminalIP.Email_Body.domain_scoreStringDomain score.
CriminalIP.Email_Body.phishing_probNumberPhishing probability.
CriminalIP.Email_Body.dga_scoreNumberDGA score.
CriminalIP.Email_Body.registrarStringDomain registrar.
CriminalIP.Email_Body.createdStringDomain creation date.
CriminalIP.Email_Body.report_timeStringReport generation time.
CriminalIP.Email_Body.abuse_criticalNumberCritical abuse record count.
CriminalIP.Email_Body.abuse_dangerousNumberDangerous abuse record count.
CriminalIP.Email_Body.fake_httpsBooleanWhether fake HTTPS detected.
CriminalIP.Email_Body.punycodeBooleanWhether punycode detected.
CriminalIP.Email_Body.cert_valid_toStringCertificate expiration date.
CriminalIP.Email_Body.connected_ipsStringConnected IP addresses (comma-separated).
CriminalIP.Email_Body.ssl_vulnsStringSSL vulnerabilities detected.
CriminalIP.Email_Body.readable_outputStringPre-formatted Full Scan report (email-ready).
CriminalIP.Email_Body.rawUnknownFull raw response from Criminal IP API.

Example#

!criminal-ip-domain-full-scan-make-email-body scan_id=xyz789abc123 domain=example.com

criminal-ip-micro-asm#

Performs a micro ASM-style summary for a domain with a completed Full Scan.

Base Command#

criminal-ip-micro-asm

Input#

Argument NameDescriptionRequired
scan_idThe scan_id of the completed Full Scan.Required
domainThe domain of the completed Full Scan.Required

Context Output#

PathTypeDescription
CriminalIP.Micro_ASM.domainStringDomain analyzed.
CriminalIP.Micro_ASM.scan_idStringScan ID used for Micro ASM.
CriminalIP.Micro_ASM.domain_scoreStringDomain score.
CriminalIP.Micro_ASM.phishing_probNumberPhishing probability.
CriminalIP.Micro_ASM.dga_scoreNumberDGA score.
CriminalIP.Micro_ASM.registrarStringDomain registrar.
CriminalIP.Micro_ASM.createdStringDomain creation date.
CriminalIP.Micro_ASM.report_timeStringReport generation time.
CriminalIP.Micro_ASM.abuse_criticalNumberCritical abuse record count.
CriminalIP.Micro_ASM.abuse_dangerousNumberDangerous abuse record count.
CriminalIP.Micro_ASM.fake_httpsBooleanWhether fake HTTPS detected.
CriminalIP.Micro_ASM.punycodeBooleanWhether punycode detected.
CriminalIP.Micro_ASM.cert_valid_toStringCertificate expiration date.
CriminalIP.Micro_ASM.connected_ipsStringConnected IP addresses (comma-separated).
CriminalIP.Micro_ASM.ssl_vulnsStringSSL vulnerabilities detected.
CriminalIP.Micro_ASM.readable_outputStringPre-formatted Micro ASM report (email-ready).
CriminalIP.Micro_ASM.rawUnknownFull raw response from CriminalIP API.

Example#

!criminal-ip-micro-asm scan_id=xyz789abc123 domain=example.com

Resources#

Edit this page
Report an Issue