Skip to main content

Team Cymru

This Integration is part of the Team Cymru Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Team Cymru provides various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. Each of the services is based on the same BGP feeds from 50+ BGP peers and is updated at 4-hour intervals. This integration was integrated and tested with version 1.0 of TeamCymru

Configure Team Cymru in Cortex#

ParameterRequired
Use system proxy settingsFalse
Proxy URLSupports socks4/socks5/http connect proxies (e.g., socks5h://host:1080).
Source ReliabilityReliability of the source providing the intelligence data.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipAn IPv4 address to query, e.g., 1.1.1.1.Required

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
TeamCymru.IP.AddressStringThe IP address.
TeamCymru.IP.ASNStringThe IP ASN.
TeamCymru.IP.ASOwnerStringThe IP AS owner.
TeamCymru.IP.Geo.CountryStringThe IP country.
TeamCymru.IP.Registrar.Abuse.NetworkStringThe IP range relevant for abuse inquiries provided for the IP.

Command example#

!ip ip=1.1.1.1

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "TeamCymru"
},
"IP": {
"ASN": "13335",
"ASOwner": "CLOUDFLARENET, US",
"Address": "1.1.1.1",
"Geo": {
"Country": "AU"
},
"Registrar": {
"Abuse": {
"Network": "1.1.1.0/24"
}
}
},
"TeamCymru": {
"IP": {
"ASN": "13335",
"ASOwner": "CLOUDFLARENET, US",
"Address": "1.1.1.1",
"Geo": {
"Country": "AU"
},
"Registrar": {
"Abuse": {
"Network": "1.1.1.0/24"
}
}
}
}
}

Human Readable Output#

Team Cymru results for 1.1.1.1#

IPASNOrganizationCountryRange
1.1.1.113335CLOUDFLARENET, USAU1.1.1.0/24

cymru-bulk-whois#


Checks the reputation of a CSV list of IPv4 addresses within a file. Note: Results for queries exceeding 10,000 IPs may take more than a minute given a moderately sized Internet link.

Base Command#

cymru-bulk-whois

Input#

Argument NameDescriptionRequired
entry_idThe file's War Room entry ID.Required
delimiterDelimiter by which the content of the file is separated.
Eg: " , " , " : ", " ; ". Default is ,.
Optional

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
TeamCymru.IP.AddressStringThe IP address.
TeamCymru.IP.ASNStringThe IP ASN.
TeamCymru.IP.ASOwnerStringThe IP AS owner.
TeamCymru.IP.Geo.CountryStringThe IP country.
TeamCymru.IP.Registrar.Abuse.NetworkStringThe IP range relevant for abuse inquiries provided for the IP.

Command example#

!cymru-bulk-whois entry_id=${File.EntryID}

Troubleshooting#

  • In case of a problem with the proxy configuration, validate that the given proxy is working with the Whois content pack.