Skip to main content


This Integration is part of the CrowdSec Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Identify Malicious IP addresses with the CrowdSec CTI API.

Configure CrowdSec on Cortex XSOAR#

  1. Navigate to Settings > Integrations.

  2. Search for CrowdSec.

  3. Click Add instance to create and configure a new integration instance.

    Source ReliabilityReliability of the source providing the intelligence data.True
    API KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Check the specified IP Address against the CrowdSec CTI.

Base Command#



Argument NameDescriptionRequired
ipThe IP Address to check.Required

Context Output#

CrowdSec.Info.ip_range_scoreNumberThe score of the IP Range
CrowdSec.Info.ipStringThe IP address
CrowdSec.Info.ip_rangeStringThe IP range
CrowdSec.Info.as_nameStringThe AS name
CrowdSec.Info.as_numNumberThe AS number
CrowdSec.Info.location.countryStringThe country of the IP
CrowdSec.Info.location.cityStringThe city of the IP
CrowdSec.Info.location.latitudeNumberThe latitude of the IP
CrowdSec.Info.location.longitudeNumberThe longitude of the IP
CrowdSec.Info.reverse_dnsStringThe reverse DNS of the IP
CrowdSec.Info.behaviorsArrayList of IP behaviors
CrowdSec.Info.history.first_seenDateDate of the first time this IP was reported
CrowdSec.Info.history.last_seenDateDate of the last time this IP was reported
CrowdSec.Info.history.full_ageNumberDelta in days between first seen and today
CrowdSec.Info.history.days_ageNumberDelta in days between first and last seen timestamps
CrowdSec.Info.classifications.classificationsArrayA list of categories associated with the IP. Those data can be sourced from 3rd parties (i.e. tor exit nodes list)
CrowdSec.Info.classifications.false_positivesArrayA list of false positives tags associated with the IP. Any IP with false_positives tags shouldn't be considered as malicious
CrowdSec.Info.attack_detailsArrayA more exhaustive list of the scenarios for which a given IP was reported
CrowdSec.Info.target_countriesObjectThe top 10 reports repartition by country about the IP, as a percentage
CrowdSec.Info.scores.overall.aggressivenessNumberOverall aggressiveness score
CrowdSec.Info.scores.overall.threatNumberOverall threat score
CrowdSec.Info.scores.overall.trustNumberOverall trust score
CrowdSec.Info.scores.overall.anomalyNumberOverall anomaly score
CrowdSec.Info.scores.overall.totalNumberOverall score
CrowdSec.Info.scores.last_day.aggressivenessNumberLast day aggressiveness score
CrowdSec.Info.scores.last_day.threatNumberLast day threat score
CrowdSec.Info.scores.last_day.trustNumberLast day trust score
CrowdSec.Info.scores.last_day.anomalyNumberLast day anomaly score
CrowdSec.Info.scores.last_day.totalNumberLast day score
CrowdSec.Info.scores.last_week.aggressivenessNumberLast week aggressiveness score
CrowdSec.Info.scores.last_week.threatNumberLast week threat score
CrowdSec.Info.scores.last_week.trustNumberLast week trust score
CrowdSec.Info.scores.last_week.anomalyNumberLast week anomaly score
CrowdSec.Info.scores.last_week.totalNumberLast week score
CrowdSec.Info.scores.last_month.aggressivenessNumberLast month aggressiveness score
CrowdSec.Info.scores.last_month.threatNumberLast month threat score
CrowdSec.Info.scores.last_month.trustNumberLast month trust score
CrowdSec.Info.scores.last_month.anomalyNumberLast month anomaly score
CrowdSec.Info.scores.last_month.totalNumberLast month score
IP.AddressStringThe IP Address
DBotScore.ScorenumberThe actual score.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.