Skip to main content

IPinfo v2

This Integration is part of the Ipinfo Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the IPinfo.io API to get data about an IP address.

Differences from IPinfo (v1)#

  • The ip-field command has been removed on v2: all outputs are available by running ip.
  • IPinfo v2 Allows setting source reliability.
  • IPinfo v2 Enriches data with IP-hostname relationships.

Configure IPinfo v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for IPinfo v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API TokenThe API key to use for the connection.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Base URLTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#

Check IP reputation (when information is available, returns a JSON with details). Uses all configured Threat Intelligence feeds.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to query, e.g., 1.1.1.1.Required

Context Output#

PathTypeDescription
IPinfo.IP.AddressStringThe IP address.
IPinfo.IP.HostnameStringThe IP hostname.
IPinfo.IP.ASNStringThe IP ASN.
IPinfo.IP.ASOwnerStringThe IP AS owner.
IPinfo.IP.Organization.NameStringThe IP organization name (Only available in some IPinfo.io plans).
IPinfo.IP.Organization.TypeStringThe IP organization type (Only available in some IPinfo.io plans).
IPinfo.IP.Geo.LocationStringThe IP geographic location (coordinates as lat:lon).
IPinfo.IP.Geo.CountryStringThe IP country.
IPinfo.IP.Geo.DescriptionStringThe IP location as <City, Region, Postal Code, Country>.
IPinfo.IP.Registrar.Abuse.AddressStringThe physical address registered for receiving abuse reports for the IP. (Only available in some IPinfo.io plans).
IPinfo.IP.Registrar.Abuse.CountryStringThe country where abuse reports are received for the IP. (Only available in some IPinfo.io plans).
IPinfo.IP.Registrar.Abuse.EmailStringThe email address for abuse reports provided by the IP. (Only available in some IPinfo.io plans).
IPinfo.IP.Registrar.Abuse.NameStringThe name of the abuse report handler received for the IP. (Only available in some IPinfo.io plans).
IPinfo.IP.Registrar.Abuse.NetworkStringThe IP range relevant for abuse inquiries provided for the IP. (Only available in some IPinfo.io plans).
IP.AddressStringThe IP address.
IP.HostnameStringThe IP hostname.
IP.ASNStringThe IP ASN.
IP.TagsStringTags related the IP use (hosting, proxy, tor, vpn).
IP.FeedRelatedIndicators.valueStringNames of indicators associated with the IP.
IP.FeedRelatedIndicators.typeStringTypes of indicators associated with the IP.
IP.Relationships.EntityAstringThe source of the relationship.
IP.Relationships.EntityBstringThe destination of the relationship.
IP.Relationships.RelationshipstringThe name of the relationship.
IP.Relationships.EntityATypestringThe type of the source of the relationship.
IP.Relationships.EntityBTypestringThe type of the destination of the relationship.
IP.Geo.LocationStringThe IP geographic location (coordinates as lat:lon)
IP.Geo.CountryStringThe IP country.
IP.Geo.DescriptionStringThe IP location as <City, Region, Postal Code, Country>.
IP.Organization.NameStringThe organization of the IP.
IP.Organization.TypeStringThe organization type of the IP.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.

Command example#

!ip ip=1.1.1.1

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "ip",
"Vendor": "ipinfo_v2"
},
"IP": {
"ASN": "AS13335",
"Address": "1.1.1.1",
"FeedRelatedIndicators": [
{
"description": "Hostname",
"type": "URL",
"value": "one.one.one.one"
},
{
"description": "AS domain",
"type": "Domain",
"value": "cloudflare.com"
},
{
"description": "Company domain",
"type": "Domain",
"value": "cloudflare.com"
}
],
"Geo": {
"Country": "US",
"Description": "Los Angeles, California, 90076, US",
"Location": "34.0522:-118.2437"
},
"Hostname": "one.one.one.one",
"Organization": {
"Name": "APNIC and Cloudflare DNS Resolver project",
"Type": "hosting"
},
"Relationships": [
{
"EntityA": "1.1.1.1",
"EntityAType": "IP",
"EntityB": "one.one.one.one",
"EntityBType": "Domain",
"Relationship": "resolves-to"
}
],
"Tags": "hosting"
},
"IPinfo": {
"IP": {
"ASN": "AS13335",
"ASOwner": "Cloudflare, Inc.",
"Address": "1.1.1.1",
"Geo": {
"Country": "US",
"Description": "Los Angeles, California, 90076, US",
"Location": "34.0522,-118.2437"
},
"Hostname": "one.one.one.one",
"Organization": {
"Name": "APNIC and Cloudflare DNS Resolver project",
"Type": "hosting"
},
"Registrar": {
"Abuse": {
"Address": "PO Box 3646, South Brisbane, QLD 4101, Australia",
"Country": "AU",
"Email": "test",
"Name": "APNIC RESEARCH",
"Network": "1.1.1.0/24",
"Phone": "+61-7-3858-3188"
}
},
"Tags": [
"hosting"
]
}
}
}

Human Readable Output#

IPinfo results for 1.1.1.1#

anycastcitycountryhostnameiplocorgpostalreadmeregiontimezone
trueMiamiUSone.one.one.one1.1.1.125.7867,-80.1800AS13335 Cloudflare, Inc.33132https
Edit this page
Report an Issue