Skip to main content

IPinfo v2

This Integration is part of the Ipinfo Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the API to get data about an IP address.

Differences from IPinfo (v1)#

  • The ip-field command has been removed on v2: all outputs are available by running ip.
  • IPinfo v2 Allows setting source reliability.
  • IPinfo v2 Enriches data with IP-hostname relationships.

Configure IPinfo v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ipinfo_v2.

  3. Click Add instance to create and configure a new integration instance.

    API TokenThe API Key to use for connectionTrue
    Source ReliabilityReliability of the source providing the intelligence data.True
    Base URLTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Check IP reputation (when information is available, returns a JSON with details). Uses all configured Threat Intelligence feeds

Base Command#



Argument NameDescriptionRequired
ipIP address to query (e.g.

Context Output#

IPinfo.IP.AddressStringThe IP address
IPinfo.IP.HostnameStringThe IP Hostname
IPinfo.IP.ASNStringThe IP ASN
IPinfo.IP.ASOwnerStringThe IP AS Owner
IPinfo.IP.Organization.NameStringThe IP organization name (Only available in some plans)
IPinfo.IP.Organization.TypeStringThe IP organization type (Only available in some plans)
IPinfo.IP.Geo.LocationStringThe IP geographic location (coordinates as lat:lon)
IPinfo.IP.Geo.CountryStringThe IP Country
IPinfo.IP.Geo.DescriptionStringThe IP location as <City, Region, Postal Code, Country>
IPinfo.IP.Registrar.Abuse.AddressStringThe physical address registered for receiving abuse reports for the IP. (Only available in some plans)
IPinfo.IP.Registrar.Abuse.CountryStringThe country where abuse reports are received for the IP. (Only available in some plans)
IPinfo.IP.Registrar.Abuse.EmailStringThe email address for abuse reports provided by the IP. (Only available in some plans)
IPinfo.IP.Registrar.Abuse.NameStringThe name of the abuse report handler received for the IP. (Only available in some plans)
IPinfo.IP.Registrar.Abuse.NetworkStringThe IP range relevant for abuse inquries provided for the IP (Only available in some plans)
IP.AddressStringThe IP address
IP.HostnameStringThe IP Hostname
IP.TagsStringTags related the IP use (hosting, proxy, tor, vpn)
IP.FeedRelatedIndicators.valueStringNames of indicators associated with the IP
IP.FeedRelatedIndicators.typeStringTypes of indicators associated with the IP
IP.Relationships.EntityAStringThe source of the relationship.
IP.Relationships.EntityBStringThe destination of the relationship.
IP.Relationships.RelationshipStringThe name of the relationship.
IP.Relationships.EntityATypeStringThe type of the source of the relationship.
IP.Relationships.EntityBTypeStringThe type of the destination of the relationship.
IP.Relationships.RelationshipStringThe name of the relationship.
IP.Geo.LocationStringThe IP geographic location (coordinates as lat:lon)
IP.Geo.CountryStringThe IP Country
IP.Geo.DescriptionStringThe IP location as <City, Region, Postal Code, Country>
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable")
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.

Command Example#

!ip ip=

Context Example#

"DBotScore": [
"Indicator": "",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "ip",
"Vendor": "ipinfo_v2"
"IP": {
"ASN": 13335,
"Address": "",
"FeedRelatedIndicators": [
"description": "Hostname",
"type": "URL",
"value": ""
"Geo": {
"Country": "AU"
"Hostname": "",
"Relationships": [
"EntityA": "",
"EntityAType": "IP",
"EntityB": "",
"EntityBType": "Domain",
"Relationship": "resolves-to"
"IPinfo": {
"IP": {
"ASN": "AS13335",
"ASOwner": "Cloudflare, Inc.",
"Address": "",
"Geo": {
"Country": "US",
"Description": "Miami, Florida, 33132, US",
"Location": "25.7867,-80.1800"
"Hostname": "",
"Organization": null,
"Registrar": null,
"Tags": []

Human Readable Output#

IPinfo results for

anycastcitycountryhostnameiplocorgpostalreadmeregiontimezone,-80.1800AS13335 Cloudflare, Inc.33132https