Skip to main content

Team Cymru

This Integration is part of the Team Cymru Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Team Cymru provides various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. Each of the services is based on the same BGP feeds from 50+ BGP peers and is updated at 4-hour intervals. This integration was integrated and tested with version 1.0 of TeamCymru

Configure Team Cymru on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Team Cymru.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipAn IPv4 address to query, e.g., 1.1.1.1.Required

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
TeamCymru.IP.AddressStringThe IP address.
TeamCymru.IP.ASNStringThe IP ASN.
TeamCymru.IP.ASOwnerStringThe IP AS owner.
TeamCymru.IP.Geo.CountryStringThe IP country.
TeamCymru.IP.Registrar.Abuse.NetworkStringThe IP range relevant for abuse inquiries provided for the IP.

Command example#

!ip ip=1.1.1.1

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "TeamCymru"
},
"IP": {
"ASN": "13335",
"ASOwner": "CLOUDFLARENET, US",
"Address": "1.1.1.1",
"Geo": {
"Country": "AU"
},
"Registrar": {
"Abuse": {
"Network": "1.1.1.0/24"
}
}
},
"TeamCymru": {
"IP": {
"ASN": "13335",
"ASOwner": "CLOUDFLARENET, US",
"Address": "1.1.1.1",
"Geo": {
"Country": "AU"
},
"Registrar": {
"Abuse": {
"Network": "1.1.1.0/24"
}
}
}
}
}

Human Readable Output#

Team Cymru results for 1.1.1.1#

IPASNOrganizationCountryRange
1.1.1.113335CLOUDFLARENET, USAU1.1.1.0/24

cymru-bulk-whois#


Checks the reputation of a CSV list of IPv4 addresses within a file. Note: Results for queries exceeding 10,000 IPs may take more than a minute given a moderately sized Internet link.

Base Command#

cymru-bulk-whois

Input#

Argument NameDescriptionRequired
entry_idThe file's War Room entry ID.Required
delimiterDelimiter by which the content of the file is separated.
Eg: " , " , " : ", " ; ". Default is ,.
Optional

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
TeamCymru.IP.AddressStringThe IP address.
TeamCymru.IP.ASNStringThe IP ASN.
TeamCymru.IP.ASOwnerStringThe IP AS owner.
TeamCymru.IP.Geo.CountryStringThe IP country.
TeamCymru.IP.Registrar.Abuse.NetworkStringThe IP range relevant for abuse inquiries provided for the IP.

Command example#

!cymru-bulk-whois entry_id=${File.EntryID}