Skip to main content

Team Cymru Scout

This Integration is part of the Team Cymru Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Overview#

Team Cymru's Scout integration with Palo Alto XSOAR helps streamline incident triage and accelerate threat response by providing domain and threat intelligence data. This integration was integrated and tested with API of Team Cymru Scout.

Key Features#

  • Leverage communication data to identify correlations between IP addresses, identify compromised hosts, and uncover other indications of an attack.
  • Access a quick summary of NetFlow communications, Whois information, PDNS, X509 certificates, and fingerprinting details.
  • Supports both IPv4 and IPv6 address queries.
  • Provides real-time threat intelligence and helps in identifying and mitigating potential security threats.
  • Offers extensive documentation and support resources to assist with setup, configuration, and troubleshooting.

Prerequisites for configuring integration instance#

Generate API Keys#

If you prefer to use an API key for authentication, you can generate one as follows:

  1. Go to the API Keys page.
  2. Click on the "Create" button.
  3. Provide the description for the key, if needed.
  4. Click on the "Create Key" button to generate the API key.

Note:

  • The number of API keys allowed for each organization is equal to the number of user seats. Therefore, an individual user may have multiple keys, but all the users in your organization may have a maximum of 5 keys. The API Keys page shows the total number of keys used by your organization.
  • If the "Create" button is disabled, it indicates that you have reached the maximum number of keys allowed for your organization. To generate a new key, you need to:
    • Click on the "Revoke" button next to an old key.
    • Click on the "Create Key" button to start generating a new key.

Configure Team Cymru Scout in Cortex#

ParameterDescriptionRequired
Authentication TypeThe authentication type used for secure communication with the Team Cymru Scout platform.True
API KeyThe API key used for secure communication with the Team Cymru Scout platform. Required if "API Key" as Authentication Type is selected.False
Username, PasswordThe username and password used for secure communication with the Team Cymru Scout platform. Required if "Basic Auth" as Authentication Type is selected.False
Source ReliabilityReliability of the source providing the intelligence data.False
Create relationshipsCreate relationships between indicators as part of enrichment.False
Use system proxy settingsFalse
Trust any certificate (not secure)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

scout-api-usage#


Returns all the information on used queries and remaining queries with the query limit.

Base Command#

scout-api-usage

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
TeamCymruScout.QueryUsage.command_nameStringThe name of the Cortex XSOAR command that triggered the Foundation API.
TeamCymruScout.QueryUsage.used_queriesNumberThe number of queries used.
TeamCymruScout.QueryUsage.remaining_queriesNumberThe number of remaining queries.
TeamCymruScout.QueryUsage.query_limitNumberThe total number of queries allowed.
TeamCymruScout.QueryUsage.foundation_api_usage.used_queriesNumberThe number of queries used for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.remaining_queriesNumberThe number of remaining queries for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.query_limitNumberThe total number of queries allowed for the Foundation API.

Command example#

!scout-api-usage

Context Example#

{
"TeamCymruScout": {
"QueryUsage": {
"command_name": "scout-api-usage",
"foundation_api_usage": {
"query_limit": 0,
"remaining_queries": 0,
"used_queries": 9
},
"query_limit": 50000,
"remaining_queries": 49834,
"used_queries": 166
}
}
}

Human Readable Output#

API Usage#

Used QueriesRemaining QueriesQuery LimitFoundation Used QueriesFoundation Remaining QueriesFoundation Query Limit
1664983450000900

ip#


Return all the detailed information available for the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP address for which to retrieve available IP details.Required
start_dateThe start date for detailed information.

Supported formats: 2 days, 2 weeks, 2 months, yyyy-mm-dd.

For example: 01 June 2024, 2024-06-17. Default is 30 days.
Optional
end_dateThe end date for detailed information.

Supported formats: 2 days, 2 weeks, 2 months, yyyy-mm-dd.

For example: 01 June 2024, 2024-06-17. Default is now.
Optional
daysRelative offset in days from the current time. It cannot exceed the maximum range of 30 days.

Note: This will take priority over start_date and end_date if all three are passed.
Optional
sizeThe maximum number of records to return.

Note: The maximum allowed size is 1000.
Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressStringIP address.
IP.Relationships.EntityAStringThe source of the relationship.
IP.Relationships.EntityBStringThe destination of the relationship.
IP.Relationships.RelationshipStringThe name of the relationship.
IP.Relationships.EntityATypeStringThe type of the source of the relationship.
IP.Relationships.EntityBTypeStringThe type of the destination of the relationship.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.HostnameStringThe hostname that is mapped to this IP address.
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Geo.DescriptionStringAdditional information about the location.
IP.DetectionEnginesNumberThe total number of engines that checked the indicator.
IP.PositiveDetectionsNumberThe number of engines that positively detected the indicator as malicious.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.TagsUnknown(List) Tags of the IP address.
IP.FeedRelatedIndicators.valueStringIndicators that are associated with the IP address.
IP.FeedRelatedIndicators.typeStringThe type of the indicators that are associated with the IP address.
IP.FeedRelatedIndicators.descriptionStringThe description of the indicators that are associated with the IP address.
IP.MalwareFamilyStringThe malware family associated with the IP address.
IP.Organization.NameStringThe organization of the IP address.
IP.Organization.TypeStringThe organization type of the IP address.
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.RegionStringThe region in which the IP address is located.
IP.PortStringPorts that are associated with the IP address.
IP.InternalBooleanWhether the IP address is internal or external.
IP.UpdatedDateDateThe date that the IP address was last updated.
IP.Registrar.Abuse.NameStringThe name of the contact for reporting abuse.
IP.Registrar.Abuse.AddressStringThe address of the contact for reporting abuse.
IP.Registrar.Abuse.CountryStringThe country of the contact for reporting abuse.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
IP.Registrar.Abuse.PhoneStringThe phone number of the contact for reporting abuse.
IP.Registrar.Abuse.EmailStringThe email address of the contact for reporting abuse.
IP.CampaignStringThe campaign associated with the IP address.
IP.TrafficLightProtocolStringThe Traffic Light Protocol (TLP) color that is suitable for the IP address.
IP.CommunityNotes.noteStringNotes on the IP address that were given by the community.
IP.CommunityNotes.timestampDateThe time in which the note was published.
IP.Publications.sourceStringThe source in which the article was published.
IP.Publications.titleStringThe name of the article.
IP.Publications.linkStringA link to the original article.
IP.Publications.timestampDateThe time in which the article was published.
IP.ThreatTypes.threatcategoryStringThe threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.
IP.ThreatTypes.threatcategoryconfidenceStringThe confidence level provided by the vendor for the threat type category For example, a confidence of 90 for the threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware.
TeamCymruScout.QueryUsage.request_idStringThe request ID of the API call.
TeamCymruScout.QueryUsage.sizeNumberThe number of records returned.
TeamCymruScout.QueryUsage.start_dateDateThe earliest date for detailed information.
TeamCymruScout.QueryUsage.end_dateDateThe latest date for detailed information.
TeamCymruScout.QueryUsage.used_queriesNumberThe number of queries used.
TeamCymruScout.QueryUsage.remaining_queriesNumberThe number of remaining queries.
TeamCymruScout.QueryUsage.query_limitNumberThe maximum number of queries allowed.
TeamCymruScout.QueryUsage.foundation_api_usage.used_queriesNumberThe number of queries used by the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.remaining_queriesNumberThe number of remaining queries for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.query_limitNumbeThe maximum number of queries allowed for the Foundation API.
TeamCymruScout.IP.ipStringThe IP address.
TeamCymruScout.IP.sectionsStringThe sections of data returned.
TeamCymruScout.IP.identity.tagsUnknownThe tags associated with the IP address.
TeamCymruScout.IP.identity.reverse_hostnamesUnknownThe reverse hostnames associated with the IP address.
TeamCymruScout.IP.identity.asnNumberThe autonomous system number associated with the IP address.
TeamCymruScout.IP.identity.as_nameStringThe name associated with the autonomous system number.
TeamCymruScout.IP.identity.net_nameStringThe name associated with the network.
TeamCymruScout.IP.identity.org_nameStringThe name associated with the organization.
TeamCymruScout.IP.whois.modifiedDateThe date the WHOIS information was last modified.
TeamCymruScout.IP.whois.asnNumberThe autonomous system number associated with the IP address.
TeamCymruScout.IP.whois.cidrStringThe network associated with the IP address.
TeamCymruScout.IP.whois.as_nameStringThe name associated with the autonomous system number.
TeamCymruScout.IP.whois.bgp_asnNumberThe Border Gateway Protocol (BGP) autonomous system number (ASN) associated with the IP address.
TeamCymruScout.IP.whois.bgp_asn_nameStringThe name associated with the Border Gateway Protocol (BGP) autonomous system number (ASN).
TeamCymruScout.IP.whois.net_nameStringThe name associated with the network.
TeamCymruScout.IP.whois.net_handleStringThe handle associated with the network.
TeamCymruScout.IP.whois.descriptionStringThe description associated with the network.
TeamCymruScout.IP.whois.ccStringThe country code associated with the network.
TeamCymruScout.IP.whois.cityStringThe city associated with the network.
TeamCymruScout.IP.whois.addressStringThe address associated with the network.
TeamCymruScout.IP.whois.abuse_contact_idStringThe abuse contact ID associated with the network.
TeamCymruScout.IP.whois.about_contact_roleStringThe role associated with the about contact.
TeamCymruScout.IP.whois.about_contact_personStringThe person associated with the about contact.
TeamCymruScout.IP.whois.about_contact_emailStringThe email associated with the about contact.
TeamCymruScout.IP.whois.about_contact_phoneStringThe phone number associated with the about contact.
TeamCymruScout.IP.whois.about_contact_countryStringThe country associated with the about contact.
TeamCymruScout.IP.whois.about_contact_cityStringThe city associated with the about contact.
TeamCymruScout.IP.whois.about_contact_addressStringThe address associated with the about contact.
TeamCymruScout.IP.whois.admin_contact_idStringThe ID associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_roleStringThe role associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_personStringThe person associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_emailStringThe email associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_phoneStringThe phone number associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_countryStringThe country associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_cityStringThe city associated with the admin contact.
TeamCymruScout.IP.whois.admin_contact_addressStringThe address associated with the admin contact.
TeamCymruScout.IP.whois.tech_contact_idStringThe ID associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_roleStringThe role associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_personStringThe person associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_emailStringThe email associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_phoneStringThe phone number associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_countryStringThe country associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_cityStringThe city associated with the tech contact.
TeamCymruScout.IP.whois.tech_contact_addressStringThe address associated with the tech contact.
TeamCymruScout.IP.whois.org_idStringThe ID associated with the organization.
TeamCymruScout.IP.whois.org_nameStringThe name associated with the organization.
TeamCymruScout.IP.whois.org_emailStringThe email associated with the organization.
TeamCymruScout.IP.whois.org_phoneStringThe phone number associated with the organization.
TeamCymruScout.IP.whois.org_countryStringThe country associated with the organization.
TeamCymruScout.IP.whois.org_cityStringThe city associated with the organization.
TeamCymruScout.IP.whois.org_addressStringThe address associated with the organization.
TeamCymruScout.IP.whois.mnt_by_emailStringThe email associated with the maintainer.
TeamCymruScout.IP.whois.mnt_lower_emailStringThe email associated with the lower maintenance router.
TeamCymruScout.IP.whois.mnt_router_emailStringThe email associated with the maintenance router.
TeamCymruScout.IP.communications.event_countNumberThe count of events associated with the communication.
TeamCymruScout.IP.communications.peers.protoNumberThe protocol associated with the peer.
TeamCymruScout.IP.communications.peers.proto_textStringThe text associated with the protocol of the peer.
TeamCymruScout.IP.communications.peers.local.ipStringThe IP address associated with the local peer.
TeamCymruScout.IP.communications.peers.local.min_portNumberThe minimum port associated with the local peer.
TeamCymruScout.IP.communications.peers.local.max_portNumberThe maximum port associated with the local peer.
TeamCymruScout.IP.communications.peers.local.country_codesStringThe country codes associated with the local peer.
TeamCymruScout.IP.communications.peers.local.as_info.asnNumberThe autonomous system number associated with the local peer.
TeamCymruScout.IP.communications.peers.local.as_info.as_nameStringThe name associated with the autonomous system number of the local peer.
TeamCymruScout.IP.communications.peers.local.tags.idNumberThe ID of the tags associated with the local peer.
TeamCymruScout.IP.communications.peers.local.tags.nameStringThe name of the tags associated with the local peer.
TeamCymruScout.IP.communications.peers.local.tags.children.idNumberThe ID of the child tags associated with the local peer.
TeamCymruScout.IP.communications.peers.local.tags.children.nameStringThe name of the child tags associated with the local peer.
TeamCymruScout.IP.communications.peers.local.tags.children.childrenUnknownThe children of the child tags associated with the local peer.
TeamCymruScout.IP.communications.peers.local.unique_portsNumberThe unique ports associated with the local peer.
TeamCymruScout.IP.communications.peers.local.top_services.service_nameStringThe name of the top service associated with the local peer.
TeamCymruScout.IP.communications.peers.local.top_services.portNumberThe port associated with the top service of the local peer.
TeamCymruScout.IP.communications.peers.local.top_services.proto_numberNumberThe protocol number associated with the top service of the local peer.
TeamCymruScout.IP.communications.peers.local.top_services.descriptionStringThe description associated with the top service of the local peer.
TeamCymruScout.IP.communications.peers.peer.ipStringThe IP address associated with the peer.
TeamCymruScout.IP.communications.peers.peer.min_portNumberThe minimum port associated with the peer.
TeamCymruScout.IP.communications.peers.peer.max_portNumberThe maximum port associated with the peer.
TeamCymruScout.IP.communications.peers.peer.country_codesStringThe country codes associated with the peer.
TeamCymruScout.IP.communications.peers.peer.as_info.asnNumberThe autonomous system number associated with the peer.
TeamCymruScout.IP.communications.peers.peer.as_info.as_nameStringThe name associated with the autonomous system number of the peer.
TeamCymruScout.IP.communications.peers.peer.tagsUnknownThe tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.unique_portsNumberThe unique ports associated with the peer.
TeamCymruScout.IP.communications.peers.peer.top_services.service_nameStringThe name of the top service associated with the peer.
TeamCymruScout.IP.communications.peers.peer.top_services.portNumberThe port associated with the top service of the peer.
TeamCymruScout.IP.communications.peers.peer.top_services.proto_numberNumberThe protocol number associated with the top service of the peer.
TeamCymruScout.IP.communications.peers.peer.top_services.descriptionStringThe description associated with the top service of the peer.
TeamCymruScout.IP.communications.peers.event_countNumberThe number of events associated with the communication.
TeamCymruScout.IP.communications.peers.first_seenDateThe first seen date associated with the communication.
TeamCymruScout.IP.communications.peers.last_seenDateThe last seen date associated with the communication.
TeamCymruScout.IP.communications.peers.peer.tags.idNumberThe ID of the tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.nameStringThe name of the tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.children.idNumberThe ID of the child tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.children.nameStringThe name of the child tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.children.children.idNumberThe ID of the grandchild tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.children.children.nameStringThe name of the grandchild tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.children.children.childrenUnknownThe children of the grandchild tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.children.childrenUnknownThe grandchild tags associated with the peer.
TeamCymruScout.IP.communications.peers.peer.tags.childrenUnknownThe child tags associated with the peer.
TeamCymruScout.IP.pdns.event_countNumberThe number of events associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.ipStringThe IP address associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.domainStringThe domain associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.rootStringThe root associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.tldStringThe top level domain (TLD) associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.typeStringThe type associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.registrarStringThe registrar associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.domain_createdDateThe creation date associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.domain_expiresDateThe expiration date associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.nameservers.rootStringThe root of the nameserver associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.nameservers.nameserversStringThe nameservers associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.country_codesStringThe country codes associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.as_info.asnNumberThe autonomous system number associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.as_info.as_nameStringThe name associated with the autonomous system number of the PDNS.
TeamCymruScout.IP.pdns.pdns.tagsUnknownThe tags associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.distinct_ipsNumberThe number of distinct IP addresses associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.active_daysNumberThe number of active days associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.event_countNumberThe count of events associated with the PDNS.
TeamCymruScout.IP.pdns.pdns.first_seenDateThe first date the PDNS was seen.
TeamCymruScout.IP.pdns.pdns.last_seenDateThe last date the PDNS was seen.
TeamCymruScout.IP.pdns.pdns.nameserversUnknownThe nameservers of the PDNS.
TeamCymruScout.IP.fingerprints.event_countNumberThe number of events associated with the fingerprints.
TeamCymruScout.IP.fingerprints.fingerprints.ipStringThe IP address of the fingerprint.
TeamCymruScout.IP.fingerprints.fingerprints.typeStringThe type of the fingerprint.
TeamCymruScout.IP.fingerprints.fingerprints.fingerprintStringThe fingerprint of the host.
TeamCymruScout.IP.fingerprints.fingerprints.portNumberThe port of the fingerprint.
TeamCymruScout.IP.fingerprints.fingerprints.first_seenDateThe first date the fingerprint was seen.
TeamCymruScout.IP.fingerprints.fingerprints.last_seenDateThe last date the fingerprint was seen.
TeamCymruScout.IP.fingerprints.fingerprints.distinct_ipsNumberThe number of distinct IP addresses associated with the fingerprints.
TeamCymruScout.IP.fingerprints.fingerprints.active_daysNumberThe number of active days associated with the fingerprints.
TeamCymruScout.IP.fingerprints.fingerprints.event_countNumberThe number of events associated with the fingerprints.
TeamCymruScout.IP.open_ports.event_countNumberThe number of events associated with the open ports.
TeamCymruScout.IP.open_ports.unique_portsNumberThe number of unique ports in the open ports.
TeamCymruScout.IP.open_ports.open_ports.ipStringThe IP address of the open port.
TeamCymruScout.IP.open_ports.open_ports.portNumberThe port of the open port.
TeamCymruScout.IP.open_ports.open_ports.protocolNumberThe protocol of the open port.
TeamCymruScout.IP.open_ports.open_ports.protocol_textStringThe protocol text of the open port.
TeamCymruScout.IP.open_ports.open_ports.serviceStringThe service of the open port.
TeamCymruScout.IP.open_ports.open_ports.bannerStringThe banner of the open port.
TeamCymruScout.IP.open_ports.open_ports.banner_sha1StringThe SHA1 hash of the banner of the open port.
TeamCymruScout.IP.open_ports.open_ports.first_seenDateThe first date the open port was seen.
TeamCymruScout.IP.open_ports.open_ports.last_seenDateThe last date the open port was seen.
TeamCymruScout.IP.open_ports.open_ports.country_codesStringThe country codes of the open port.
TeamCymruScout.IP.open_ports.open_ports.as_info.asnNumberThe autonomous system number of the open port.
TeamCymruScout.IP.open_ports.open_ports.as_info.as_nameStringThe name of the autonomous system number of the open port.
TeamCymruScout.IP.open_ports.open_ports.tags.idNumberThe ID of the tag associated with the open port.
TeamCymruScout.IP.open_ports.open_ports.tags.nameStringThe name of the tag associated with the open port.
TeamCymruScout.IP.open_ports.open_ports.tags.children.idNumberThe ID of the child tag associated with the open port.
TeamCymruScout.IP.open_ports.open_ports.tags.children.nameStringThe name of the child tag associated with the open port.
TeamCymruScout.IP.open_ports.open_ports.tags.children.childrenUnknownThe child tags of the child tag associated with the open port.
TeamCymruScout.IP.open_ports.open_ports.event_countNumberThe number of events associated with the open port.
TeamCymruScout.IP.x509.event_countNumberThe number of events associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.ipStringThe IP address associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.issuerStringThe issuer of the x509 certificate.
TeamCymruScout.IP.x509.x509.issuer_common_nameStringThe common name of the issuer of the x509 certificate.
TeamCymruScout.IP.x509.x509.common_nameStringThe common name of the x509 certificate.
TeamCymruScout.IP.x509.x509.altnamesStringThe alternative names associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.serialStringThe serial number of the x509 certificate.
TeamCymruScout.IP.x509.x509.subjectStringThe subject of the x509 certificate.
TeamCymruScout.IP.x509.x509.not_afterDateThe expiration date of the x509 certificate.
TeamCymruScout.IP.x509.x509.not_beforeDateThe start date of the x509 certificate.
TeamCymruScout.IP.x509.x509.validity_periodStringThe validity period of the x509 certificate.
TeamCymruScout.IP.x509.x509.md5StringThe MD5 hash of the x509 certificate.
TeamCymruScout.IP.x509.x509.sha1StringThe SHA1 hash of the x509 certificate.
TeamCymruScout.IP.x509.x509.sha256StringThe SHA256 hash of the x509 certificate.
TeamCymruScout.IP.x509.x509.first_seenDateThe first date the x509 certificate was seen.
TeamCymruScout.IP.x509.x509.last_seenDateThe last date the x509 certificate was seen.
TeamCymruScout.IP.x509.x509.portNumberThe port associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.self_signedBooleanIndicates whether the x509 certificate is self-signed.
TeamCymruScout.IP.x509.x509.country_codesStringThe country codes associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.as_info.asnNumberThe autonomous system number associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.as_info.as_nameStringThe autonomous system name associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.tags.idNumberThe ID of the tag associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.tags.nameStringThe name of the tag associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.tags.children.idNumberThe ID of the child tag associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.tags.children.nameStringThe name of the child tag associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.tags.children.childrenUnknownThe children of the child tag associated with the x509 certificate.
TeamCymruScout.IP.x509.x509.countNumberThe count of the x509 certificate.
TeamCymruScout.IP.summary.totalNumberThe total count of the summary.
TeamCymruScout.IP.summary.ipStringThe IP address associated with the summary.
TeamCymruScout.IP.summary.start_dateDateThe start date of the summary.
TeamCymruScout.IP.summary.end_dateDateThe end date of the summary.
TeamCymruScout.IP.summary.geo_ip_ccStringThe country code associated with the geographic IP.
TeamCymruScout.IP.summary.tags.idNumberThe ID of the tag associated with the summary.
TeamCymruScout.IP.summary.tags.nameStringThe name of the tag associated with the summary.
TeamCymruScout.IP.summary.tags.children.idNumberThe ID of the child tag associated with the summary.
TeamCymruScout.IP.summary.tags.children.nameStringThe name of the child tag associated with the summary.
TeamCymruScout.IP.summary.tags.children.childrenUnknownThe children of the child tag associated with the summary.
TeamCymruScout.IP.summary.reverse_hostnamesUnknownThe reverse hostnames associated with the summary.
TeamCymruScout.IP.summary.bgp_asnNumberThe autonomous system number associated with the BGP.
TeamCymruScout.IP.summary.bgp_asnameStringThe autonomous system name associated with the BGP.
TeamCymruScout.IP.summary.whois.asnNumberThe autonomous system number associated with the IP address.
TeamCymruScout.IP.summary.whois.as_nameStringThe name associated with the autonomous system number.
TeamCymruScout.IP.summary.whois.net_nameStringThe name associated with the network.
TeamCymruScout.IP.summary.whois.org_nameStringThe name associated with the organization.
TeamCymruScout.IP.summary.pdns.totalNumberThe total count of the DNS queries associated with the IP address.
TeamCymruScout.IP.summary.pdns.top_pdns.event_countNumberThe number of events associated with the top DNS query.
TeamCymruScout.IP.summary.pdns.top_pdns.domainStringThe domain associated with the top DNS query.
TeamCymruScout.IP.summary.pdns.top_pdns.first_seenDateThe first date the top DNS query was seen.
TeamCymruScout.IP.summary.pdns.top_pdns.last_seenDateThe last date the top DNS query was seen.
TeamCymruScout.IP.summary.pdns.top_pdns.css_colorStringThe CSS color associated with the top DNS query.
TeamCymruScout.IP.summary.open_ports.totalNumberThe total number of the open ports associated with the IP address.
TeamCymruScout.IP.summary.open_ports.unique_portsNumberThe number of unique ports in the open ports.
TeamCymruScout.IP.summary.open_ports.top_open_ports.event_countNumberThe number of events associated with the top open port.
TeamCymruScout.IP.summary.open_ports.top_open_ports.portNumberThe port associated with the top open port.
TeamCymruScout.IP.summary.open_ports.top_open_ports.protocolNumberThe protocol number associated with the top open port.
TeamCymruScout.IP.summary.open_ports.top_open_ports.protocol_textStringThe protocol text associated with the top open port.
TeamCymruScout.IP.summary.open_ports.top_open_ports.serviceStringThe service associated with the top open port.
TeamCymruScout.IP.summary.open_ports.top_open_ports.inferred_service_nameUnknownThe inferred service name associated with the top open port.
TeamCymruScout.IP.summary.open_ports.top_open_ports.first_seenDateThe first date the top open port was seen.
TeamCymruScout.IP.summary.open_ports.top_open_ports.last_seenDateThe last date the top open port was seen.
TeamCymruScout.IP.summary.open_ports.top_open_ports.css_colorStringThe CSS color associated with the top open port.
TeamCymruScout.IP.summary.certs.top_certs.issuerStringThe issuer of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.issuer_common_nameStringThe common name of the issuer of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.common_nameStringThe common name of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.subjectStringThe subject of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.portNumberThe port associated with the certificate.
TeamCymruScout.IP.summary.certs.top_certs.first_seenDateThe first date the certificate was seen.
TeamCymruScout.IP.summary.certs.top_certs.last_seenDateThe last date the certificate was seen.
TeamCymruScout.IP.summary.certs.top_certs.self_signedBooleanIndicates whether the certificate is self-signed.
TeamCymruScout.IP.summary.certs.top_certs.not_beforeDateThe date before which the certificate is not valid.
TeamCymruScout.IP.summary.certs.top_certs.not_afterDateThe date after which the certificate is not valid.
TeamCymruScout.IP.summary.certs.top_certs.valid_daysNumberThe number of valid days for the certificate.
TeamCymruScout.IP.summary.certs.top_certs.md5StringThe MD5 hash of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.sha1StringThe SHA1 hash of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.sha256StringThe SHA256 hash of the certificate.
TeamCymruScout.IP.summary.certs.top_certs.css_colorStringThe CSS color associated with the certificate.
TeamCymruScout.IP.summary.tag_timeline.data.tag.idNumberThe ID of the tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.nameStringThe name of the tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.descriptionStringThe description of the tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parent_idsNumberThe parent IDs of the tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.css_colorStringThe CSS color associated with the tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parentsUnknownThe parents of the tag.
TeamCymruScout.IP.summary.tag_timeline.data.first_seenDateThe first date the tag was seen.
TeamCymruScout.IP.summary.tag_timeline.data.last_seenDateThe last date the tag was seen.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parents.idNumberThe ID of the parent tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parents.nameStringThe name of the parent tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parents.descriptionStringThe description of the parent tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parents.parent_idsUnknownThe parent IDs of the parent tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parents.css_colorStringThe CSS color associated with the parent tag.
TeamCymruScout.IP.summary.tag_timeline.data.tag.parents.parentsUnknownThe parents of the parent tag.
TeamCymruScout.IP.summary.insights.overall_ratingStringThe overall rating of the insights.
TeamCymruScout.IP.summary.insights.totalNumberThe total count of the insights.
TeamCymruScout.IP.summary.insights.insights.ratingStringThe rating of the insight.
TeamCymruScout.IP.summary.insights.insights.messageStringThe message of the insight.
TeamCymruScout.IP.summary.fingerprints.top_fingerprints.typeStringThe type of the fingerprint.
TeamCymruScout.IP.summary.fingerprints.top_fingerprints.signatureStringThe signature of the fingerprint.
TeamCymruScout.IP.summary.fingerprints.top_fingerprints.portNumberThe port associated with the fingerprint.
TeamCymruScout.IP.summary.fingerprints.top_fingerprints.first_seenDateThe first date the fingerprint was seen.
TeamCymruScout.IP.summary.fingerprints.top_fingerprints.last_seenDateThe last date the fingerprint was seen.
TeamCymruScout.IP.summary.fingerprints.top_fingerprints.countNumberThe count of the fingerprint.

Command example#

!ip ip=0.0.0.1

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.1",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "ip",
"Vendor": "Team Cymru Scout"
},
"IP": {
"ASN": 15133,
"ASOwner": "test_name",
"Address": "0.0.0.1",
"Description": "[\"data-03-EU-93-184-216-0-24\"]",
"Organization": {
"Name": "test_name Inc."
},
"Port": "443, 80",
"Region": "EU",
"Relationships": [
{
"EntityA": "0.0.0.1",
"EntityAType": "IP",
"EntityB": "0.0.0.2",
"EntityBType": "IP",
"Relationship": "communicated-with"
}
],
"Tags": "cdn: (test_name)",
"UpdatedDate": "2012-06-22"
},
"TeamCymruScout": {
"IP": {
"ip": "0.0.0.1",
"sections": [
"identity",
"comms",
"pdns",
"open_ports",
"x509",
"fingerprints",
"whois",
"summary"
],
"identity": {
"asn": 15133,
"as_name": "test_name",
"net_name": "test_name-data-03",
"org_name": "test_name Inc."
},
"whois": {
"modified": "2012-06-22",
"asn": 15133,
"cidr": "0.0.0.1/24",
"as_name": "test_name",
"bgp_asn": 15133,
"bgp_asn_name": "test_name, US",
"net_name": "test_name-data-03",
"net_handle": "",
"description": "[\"data-03-EU-93-184-216-0-24\"]",
"cc": "EU",
"city": "",
"address": "",
"abuse_contact_id": "",
"about_contact_role": "",
"about_contact_person": "",
"about_contact_email": "",
"about_contact_phone": "",
"about_contact_country": "",
"about_contact_city": "",
"about_contact_address": "",
"admin_contact_id": "DS7892-RIPE",
"admin_contact_role": "",
"admin_contact_person": "Derrick Sawyer",
"admin_contact_email": "",
"admin_contact_phone": "+18123456789",
"admin_contact_country": "",
"admin_contact_city": "",
"admin_contact_address": "[\"11811 N. Tatum Blvd, Suite 3031, Phoenix, AZ 85028\"]",
"tech_contact_id": "DS7892-RIPE",
"tech_contact_role": "",
"tech_contact_person": "Derrick Sawyer",
"tech_contact_email": "",
"tech_contact_phone": "+18987654321",
"tech_contact_country": "",
"tech_contact_city": "",
"tech_contact_address": "[\"11811 N. Tatum Blvd, Suite 3031, Phoenix, AZ 85028\"]",
"org_id": "",
"org_name": "test_name Inc.",
"org_email": "",
"org_phone": "",
"org_country": "",
"org_city": "",
"org_address": "",
"mnt_by_email": "",
"mnt_lower_email": "",
"mnt_router_email": ""
},
"communications": {
"event_count": 33264,
"peers": [
{
"proto": 6,
"proto_text": "TCP",
"local": {
"ip": "0.0.0.1",
"min_port": 80,
"max_port": 80,
"country_codes": [
"US"
],
"as_info": [
{
"asn": 15133,
"as_name": "test_name, US"
}
],
"tags": [
{
"id": 176,
"name": "cdn",
"children": [
{
"id": 206,
"name": "test_name"
}
]
}
],
"unique_ports": 1,
"top_services": [
{
"service_name": "http",
"port": 80,
"proto_number": 6,
"description": "World Wide Web HTTP"
}
]
},
"peer": {
"ip": "0.0.0.2",
"min_port": 52049,
"max_port": 64552,
"country_codes": [
"ZA"
],
"as_info": [
{
"asn": 327983,
"as_name": "Interworks-Wireless-Solutions, ZA"
}
],
"unique_ports": 3669,
"top_services": [
{
"service_name": "",
"port": 64552,
"proto_number": 6,
"description": ""
}
]
},
"event_count": 6040,
"first_seen": "2024-06-04",
"last_seen": "2024-06-04"
}
]
},
"pdns": {
"event_count": 1338,
"pdns": [
{
"ip": "0.0.0.1",
"domain": "test1.aaa",
"root": "test1.aaa",
"tld": "aaa",
"type": "A",
"registrar": "PDR Ltd. d/b/a test1.com",
"domain_created": "2023-03-03",
"domain_expires": "2025-03-03",
"nameservers": [
{
"root": "test1.com.br",
"nameservers": [
"ns1036.test1.com.br",
"ns1037.test1.com.br"
]
}
],
"country_codes": [
"US"
],
"as_info": [
{
"asn": 15133,
"as_name": ""
}
],
"distinct_ips": 1,
"active_days": 20,
"event_count": 78,
"first_seen": "2024-05-27",
"last_seen": "2024-06-25"
}
]
},
"fingerprints": {
"event_count": 5,
"fingerprints": [
{
"ip": "0.0.0.1",
"type": "jarm",
"fingerprint": "testsignature",
"port": 443,
"first_seen": "2024-05-30",
"last_seen": "2024-06-21",
"distinct_ips": 830,
"active_days": 5,
"event_count": 5
}
]
},
"open_ports": {
"event_count": 2,
"unique_ports": 2,
"open_ports": [
{
"ip": "0.0.0.1",
"port": 443,
"protocol": 6,
"protocol_text": "TCP",
"service": "https",
"banner": "TLS/1.1 cipher:0xc013, www.example.org, www.example.org, example.net, example.edu, example.com, example.org, www.example.com, www.example.edu, www.example.net",
"banner_sha1": "test_sha1",
"first_seen": "2024-05-30",
"last_seen": "2024-06-21",
"country_codes": [
"US"
],
"as_info": [
{
"asn": 15133,
"as_name": "test_name, US"
}
],
"tags": [
{
"id": 176,
"name": "cdn",
"children": [
{
"id": 206,
"name": "test_name"
}
]
}
],
"event_count": 5
}
]
},
"x509": {
"event_count": 5,
"x509": [
{
"ip": "0.0.0.1",
"issuer": "CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
"issuer_common_name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
"common_name": "www.example.org",
"altnames": [
"example.com",
"example.edu",
"example.net",
"example.org",
"www.example.com",
"www.example.edu",
"www.example.net",
"www.example.org"
],
"serial": "testserial",
"subject": "CN=www.example.org, O=Internet Corporation for Assigned Names and Numbers.",
"not_after": "2025-03-01",
"not_before": "2024-01-30",
"validity_period": "397 Days",
"md5": "testmd5",
"sha1": "testsha1",
"sha256": "testsha256",
"first_seen": "2024-05-30",
"last_seen": "2024-06-21",
"port": 443,
"self_signed": false,
"country_codes": [
"US"
],
"as_info": [
{
"asn": 15133,
"as_name": "test_name, US"
}
],
"tags": [
{
"id": 176,
"name": "cdn",
"children": [
{
"id": 206,
"name": "test_name"
}
]
}
],
"count": 5
}
]
},
"summary": {
"total": 1,
"ip": "0.0.0.1",
"start_date": "2024-05-27",
"end_date": "2024-06-25",
"geo_ip_cc": "US",
"tags": [
{
"id": 176,
"name": "cdn",
"children": [
{
"id": 206,
"name": "test_name"
}
]
}
],
"bgp_asn": 15133,
"bgp_asname": "test_name, US",
"whois": {
"asn": 15133,
"as_name": "test_name",
"net_name": "test_name-data-03",
"org_name": "test_name Inc."
},
"pdns": {
"total": 1338,
"top_pdns": [
{
"event_count": 78,
"domain": "test1.aaa",
"first_seen": "2024-05-27",
"last_seen": "2024-06-25",
"css_color": "#a6abb7"
}
]
},
"open_ports": {
"total": 2,
"unique_ports": 2,
"top_open_ports": [
{
"event_count": 53,
"port": 80,
"protocol": 6,
"protocol_text": "TCP",
"service": "http",
"first_seen": "2024-05-27",
"last_seen": "2024-06-25",
"css_color": "#a6abb7"
}
]
},
"certs": {
"top_certs": [
{
"issuer": "CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
"issuer_common_name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
"common_name": "www.example.org",
"subject": "CN=www.example.org, O=Internet Corporation for Assigned Names and Numbers.",
"port": 443,
"first_seen": "2024-05-30",
"last_seen": "2024-06-21",
"self_signed": false,
"not_before": "2024-01-30",
"not_after": "2025-03-01",
"valid_days": 397,
"md5": "testmd5",
"sha1": "testsha1",
"sha256": "testsha256",
"css_color": "#b382d9"
}
]
},
"tag_timeline": {
"data": [
{
"tag": {
"id": 176,
"name": "cdn",
"description": "The CDN tag characterizes IP addresses associated with Content Delivery Networks (CDNs).",
"css_color": "#8A532C"
},
"first_seen": "2024-05-27",
"last_seen": "2024-06-25"
}
]
},
"insights": {
"overall_rating": "suspicious",
"total": 8,
"insights": [
{
"rating": "no_rating",
"message": "x509 subject \"CN=www.example.org, O=Internet Corporation for Assigned Names and Numbers."
}
]
},
"fingerprints": {
"top_fingerprints": [
{
"type": "jarm",
"signature": "testsignature",
"port": 443,
"first_seen": "2024-05-30",
"last_seen": "2024-06-21",
"count": 5
}
]
}
}
},
"QueryUsage": {
"command_name": "ip",
"foundation_api_usage": {
"query_limit": 0,
"remaining_queries": 0,
"used_queries": 15
},
"query_limit": 50000,
"remaining_queries": 49739,
"request_id": "test_id",
"size": 1000,
"start_date": "2024-05-27",
"end_date": "2024-06-25",
"used_queries": 261
}
}
}

Human Readable Output#

Summary Information For The Given Suspicious IP: 0.0.0.1#

Country CodeWhoisTagsInsights
USasn: 15133
as_name: test_name
net_name: test_name-data-03
org_name: test_name Inc.
- id: 176
name: cdn
children:
- id: 206
name: test_name
- rating: no_rating
message: x509 subject "CN=www.example.org, O=Internet Corporation for Assigned Names and Numbers.

Top PDNS#

DomainEvent CountFirst SeenLast Seen
test1.aaa782024-05-272024-06-25

Top Peers#

ProtoClient IPClient Country Code(s)Client ServicesServer IPServer Country Code(s)Server Tag(s)Server ServicesEvent CountFirst SeenLast SeenClient AS NameServer AS Name
TCP0.0.0.2ZA- port: 64552
proto_number: 6
0.0.0.1UScdn: (test_name)- service_name: http
port: 80
proto_number: 6
description: World Wide Web HTTP
60402024-06-042024-06-04Interworks-Wireless-Solutions, ZAtest_name, US

Top Open Ports#

Event CountPortProtocolProtocol TextServiceFirst SeenLast Seen
53806TCPhttp2024-05-272024-06-25

Top Fingerprints#

CountFirst SeenLast SeenPortSignatureType
52024-05-302024-06-21443testsignaturejarm

Top Certificates#

Common NameFirst SeenIssuerIssuer Common NameLast SeenMd5Not AfterNot BeforePortSelf SignedSha1Sha256SubjectValid Days
www.example.org2024-05-30CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USDigiCert Global G2 TLS RSA SHA256 2020 CA12024-06-21testmd52025-03-012024-01-30443falsetestsha1testsha256CN=www.example.org, O=Internet Corporation for Assigned Names and Numbers.397

scout-indicator-search#


Return the summary information available for the given domain or IP address using Scout query language.

Base Command#

scout-indicator-search

Input#

Argument NameDescriptionRequired
queryA simple or advanced Scout query which may contain the domain or IP address.

For example: comms.ip="0.0.0.1/24".
Required
start_dateThe start date to filter indicators.

Supported formats: 2 days, 2 weeks, 2 months, yyyy-mm-dd.

For example: 01 June 2024, 2024-06-17. Default is 30 days.
Optional
end_dateThe end date to filter indicators.

Supported formats: 2 days, 2 weeks, 2 months, yyyy-mm-dd.

For example: 01 June 2024, 2024-06-17. Default is now.
Optional
daysRelative offset in days from current time. It cannot exceed the maximum range of 30 days.

Note: This will take priority over start_date and end_date if all three are passed.
Optional
sizeThe maximum number of indicators to fetch.

Note: The maximum allowed size is 5000. Default is 20.
Optional

Context Output#

PathTypeDescription
TeamCymruScout.IP.ipStringThe IP address.
TeamCymruScout.IP.country_codesStringThe country code(s).
TeamCymruScout.IP.as_info.asnNumberThe autonomous system number.
TeamCymruScout.IP.as_info.as_nameStringThe autonomous system name.
TeamCymruScout.IP.tags.idNumberThe ID of the tag.
TeamCymruScout.IP.tags.nameStringThe name of the tag.
TeamCymruScout.IP.tags.children.idNumberThe ID of the child tag.
TeamCymruScout.IP.tags.children.nameStringThe name of the child tag.
TeamCymruScout.IP.tags.children.childrenUnknownThe children of the child tag.
TeamCymruScout.IP.event_countNumberThe number of events related to the IP address.
TeamCymruScout.IP.summary.last_seenDateThe last time the IP was seen.
TeamCymruScout.IP.summary.whois.asnNumberThe autonomous system number associated with the IP.
TeamCymruScout.IP.summary.whois.as_nameStringThe name of the autonomous system associated with the IP.
TeamCymruScout.IP.summary.whois.net_nameStringThe network name associated with the IP.
TeamCymruScout.IP.summary.whois.org_nameStringThe organization name associated with the IP.
TeamCymruScout.IP.summary.open_ports.ipStringThe IP address associated with the open port.
TeamCymruScout.IP.summary.open_ports.portNumberThe port number associated with the open port.
TeamCymruScout.IP.summary.open_ports.protocolNumberThe protocol number associated with the open port.
TeamCymruScout.IP.summary.open_ports.protocol_textStringThe protocol name associated with the open port.
TeamCymruScout.IP.summary.open_ports.serviceStringThe service name associated with the open port.
TeamCymruScout.IP.summary.open_ports.event_countNumberThe number of events related to the open port.
TeamCymruScout.IP.summary.pdns.ipStringThe IP address associated with the domain.
TeamCymruScout.IP.summary.pdns.domainStringThe domain associated with the IP.
TeamCymruScout.IP.summary.pdns.event_countNumberThe number of events related to the domain.
TeamCymruScout.IP.summary.top_peers.ipStringThe IP address of the top peer.
TeamCymruScout.IP.summary.top_peers.event_countNumberThe number of events related to the top peer.
TeamCymruScout.IP.summary.comms_totalNumberThe total number of communications related to the IP address.
TeamCymruScout.IP.summary.service_counts.protoNumberThe protocol number associated with the service count.
TeamCymruScout.IP.summary.service_counts.proto_textStringThe protocol name associated with the service count.
TeamCymruScout.IP.summary.service_counts.portNumberThe port number associated with the service count.
TeamCymruScout.IP.summary.service_counts.event_countNumberThe number of events related to the service count.
TeamCymruScout.IP.summary.service_counts.service.service_nameStringThe service name associated with the service count.
TeamCymruScout.IP.summary.service_counts.service.portNumberThe port number associated with the service count.
TeamCymruScout.IP.summary.service_counts.service.proto_numberNumberThe protocol number associated with the service count.
TeamCymruScout.IP.summary.service_counts.service.descriptionStringThe description of the service associated with the service count.
TeamCymruScout.IP.summary.fingerprints.ipStringThe IP address associated with the fingerprint.
TeamCymruScout.IP.summary.fingerprints.typeStringThe type of the fingerprint.
TeamCymruScout.IP.summary.fingerprints.signatureStringThe signature of the fingerprint.
TeamCymruScout.IP.summary.fingerprints.event_countNumberThe number of events related to the fingerprint.
TeamCymruScout.IP.summary.certs.ipStringThe IP address associated with the certificate.
TeamCymruScout.IP.summary.certs.issuerStringThe issuer of the certificate.
TeamCymruScout.IP.summary.certs.issuer_common_nameStringThe common name of the issuer of the certificate.
TeamCymruScout.IP.summary.certs.common_nameStringThe common name of the certificate.
TeamCymruScout.IP.summary.certs.portNumberThe port number associated with the certificate.
TeamCymruScout.IP.summary.certs.event_countNumberThe number of events related to the certificate.
TeamCymruScout.QueryUsage.command_nameStringThe name of the Cortex XSOAR command that triggered the Foundation API.
TeamCymruScout.QueryUsage.request_idStringThe unique request ID of the Foundation API response.
TeamCymruScout.QueryUsage.totalNumberThe total number of records available for provided filters.
TeamCymruScout.QueryUsage.queryStringThe query for which the search API was triggered.
TeamCymruScout.QueryUsage.sizeNumberThe number of records requested using parameters.
TeamCymruScout.QueryUsage.start_dateStringThe start date from which the indicators are returned.
TeamCymruScout.QueryUsage.end_dateStringThe end date from which the indicators are returned.
TeamCymruScout.QueryUsage.used_queriesNumberThe number of queries used.
TeamCymruScout.QueryUsage.remaining_queriesNumberThe number of remaining queries.
TeamCymruScout.QueryUsage.query_limitNumberThe total number of queries allowed.
TeamCymruScout.QueryUsage.foundation_api_usage.used_queriesNumberThe number of queries used for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.remaining_queriesNumberThe number of remaining queries for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.query_limitNumberThe total number of queries allowed for the Foundation API.
IP.AddressStringIP address.
IP.Relationships.EntityAStringThe source of the relationship.
IP.Relationships.EntityBStringThe destination of the relationship.
IP.Relationships.RelationshipStringThe name of the relationship.
IP.Relationships.EntityATypeStringThe type of the source of the relationship.
IP.Relationships.EntityBTypeStringThe type of the destination of the relationship.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.HostnameStringThe hostname that is mapped to this IP address.
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Geo.DescriptionStringAdditional information about the location.
IP.DetectionEnginesNumberThe total number of engines that checked the indicator.
IP.PositiveDetectionsNumberThe number of engines that positively detected the indicator as malicious.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.TagsUnknown(List) Tags of the IP address.
IP.FeedRelatedIndicators.valueStringIndicators that are associated with the IP address.
IP.FeedRelatedIndicators.typeStringThe type of the indicators that are associated with the IP address.
IP.FeedRelatedIndicators.descriptionStringThe description of the indicators that are associated with the IP address.
IP.MalwareFamilyStringThe malware family associated with the IP address.
IP.Organization.NameStringThe organization of the IP address.
IP.Organization.TypeStringThe organization type of the IP address.
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.RegionStringThe region in which the IP address is located.
IP.PortStringPorts that are associated with the IP address.
IP.InternalBooleanWhether the IP address is internal or external.
IP.UpdatedDateDateThe date that the IP address was last updated.
IP.Registrar.Abuse.NameStringThe name of the contact for reporting abuse.
IP.Registrar.Abuse.AddressStringThe address of the contact for reporting abuse.
IP.Registrar.Abuse.CountryStringThe country of the contact for reporting abuse.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
IP.Registrar.Abuse.PhoneStringThe phone number of the contact for reporting abuse.
IP.Registrar.Abuse.EmailStringThe email address of the contact for reporting abuse.
IP.CampaignStringThe campaign associated with the IP address.
IP.TrafficLightProtocolStringThe Traffic Light Protocol (TLP) color that is suitable for the IP address.
IP.CommunityNotes.noteStringNotes on the IP address that were given by the community.
IP.CommunityNotes.timestampDateThe time in which the note was published.
IP.Publications.sourceStringThe source in which the article was published.
IP.Publications.titleStringThe name of the article.
IP.Publications.linkStringA link to the original article.
IP.Publications.timestampDateThe time in which the article was published.
IP.ThreatTypes.threatcategoryStringThe threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.
IP.ThreatTypes.threatcategoryconfidenceStringThe confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad).

Command example#

!scout-indicator-search query="0.0.0.1" size=1 start_date="30 days" end_date="now"

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.1",
"Type": "ip",
"Vendor": "Team Cymru Scout",
"Score": 0,
"Reliability": "B - Usually reliable"
},
"IP": {
"Address": "0.0.0.1",
"ASN": 15169,
"ASOwner": "DUMMY",
"Region": "US",
"Port": "53,443",
"UpdatedDate": "2024-06-27",
"Hostname": "dns.dummy",
"Geo": {
"Country": "US"
},
"Organization": {
"Name": "Dummy LLC"
},
"Tags": "cdn: (cloudflare)",
"Relationships": [
{
"Relationship": "communicated-with",
"EntityA": "0.0.0.1",
"EntityAType": "IP",
"EntityB": "0.0.0.2",
"EntityBType": "IP"
},
{
"Relationship": "communicated-with",
"EntityA": "0.0.0.1",
"EntityAType": "IP",
"EntityB": "0.0.0.3",
"EntityBType": "IP"
},
{
"Relationship": "resolves-to",
"EntityA": "0.0.0.1",
"EntityAType": "IP",
"EntityB": "dns.dummy",
"EntityBType": "Domain"
},
{
"Relationship": "resolves-to",
"EntityA": "0.0.0.1",
"EntityAType": "IP",
"EntityB": "dns.dummy.com",
"EntityBType": "Domain"
}
]
},
"TeamCymruScout": {
"IP": {
"ip": "0.0.0.1",
"country_codes": [
"US"
],
"as_info": [
{
"asn": 15169,
"as_name": "DUMMY, US"
}
],
"tags": [
{
"id": 176,
"name": "cdn",
"children": [
{
"id": 210,
"name": "cloudflare"
}
]
}
],
"event_count": 164273621518,
"summary": {
"last_seen": "2024-06-27",
"whois": {
"asn": 15169,
"as_name": "DUMMY",
"net_name": "DUMMY",
"org_name": "Dummy LLC"
},
"open_ports": [
{
"ip": "0.0.0.1",
"port": 53,
"protocol": 17,
"protocol_text": "UDP",
"service": "domain",
"event_count": 296728
},
{
"ip": "0.0.0.1",
"port": 443,
"protocol": 6,
"protocol_text": "TCP",
"service": "https",
"event_count": 257
}
],
"pdns": [
{
"ip": "0.0.0.1",
"domain": "dns.dummy",
"event_count": 53408038
},
{
"ip": "0.0.0.1",
"domain": "dns.dummy.com",
"event_count": 2791811
}
],
"top_peers": [
{
"ip": "0.0.0.2",
"event_count": 2784287448
},
{
"ip": "0.0.0.3",
"event_count": 1469283767
}
],
"comms_total": 166356036813,
"service_counts": [
{
"proto": 17,
"proto_text": "",
"port": 53,
"event_count": 141248029324,
"service": {
"service_name": "domain",
"port": 53,
"proto_number": 17,
"description": "Domain Name Server"
}
},
{
"proto": 17,
"proto_text": "",
"port": 443,
"event_count": 7214447854,
"service": {
"service_name": "https",
"port": 443,
"proto_number": 17,
"description": "http protocol over TLS/SSL"
}
},
{
"proto": 6,
"proto_text": "",
"port": 443,
"event_count": 4130470538,
"service": {
"service_name": "https",
"port": 443,
"proto_number": 6,
"description": "http protocol over TLS/SSL"
}
}
],
"fingerprints": [
{
"ip": "0.0.0.1",
"type": "ja3s",
"signature": "00000000000000000000000000000001",
"event_count": 144337
},
{
"ip": "0.0.0.1",
"type": "ja3",
"signature": "00000000000000000000000000000001",
"event_count": 40708
}
],
"certs": [
{
"ip": "0.0.0.1",
"issuer": "CN=WR2, O=Dummy Trust Services, C=US",
"issuer_common_name": "WR2",
"common_name": "dns.dummy",
"port": 853,
"event_count": 418
},
{
"ip": "0.0.0.1",
"issuer": "CN=WR2, O=Dummy Trust Services, C=US",
"issuer_common_name": "WR2",
"common_name": "dns.dummy",
"port": 443,
"event_count": 372
}
]
}
},
"QueryUsage": {
"command_name": "scout-indicator-search",
"request_id": "00000000-0000-0000-0000-000000000001",
"total": 1,
"query": "0.0.0.1",
"size": 1,
"start_date": "2024-05-28",
"end_date": "2024-06-26",
"used_queries": 261,
"remaining_queries": 49739,
"query_limit": 50000,
"foundation_api_usage": {
"used_queries": 15,
"remaining_queries": 0,
"query_limit": 0
}
}
}
}

Human Readable Output#

Summary Information for the given indicator: 0.0.0.1#

Country Code(S)WhoisEvent CountTagsLast Seen
USasn: 15169
as_name: DUMMY
net_name: DUMMY
org_name: Dummy LLC
164273621518- id: 176
name: cdn
children:
- id: 210
name: cloudflare
2024-06-27

PDNS Information#

DomainEvent CountIP
dns.dummy534080380.0.0.1
dns.dummy.com27918110.0.0.1

Open Ports Information#

Event CountIPPortProtocolProtocol TextService
2967280.0.0.15317UDPdomain
2570.0.0.14436TCPhttps

Top Peers Information#

Source IPEvent CountIP
0.0.0.127842874480.0.0.2
0.0.0.114692837670.0.0.3

Service Counts Information#

Source IPEvent CountPortProtoService
0.0.0.11412480293245317service_name: domain
port: 53
proto_number: 17
description: Domain Name Server
0.0.0.1721444785444317service_name: https
port: 443
proto_number: 17
description: http protocol over TLS/SSL
0.0.0.141304705384436service_name: https
port: 443
proto_number: 6
description: http protocol over TLS/SSL

Fingerprints Information#

Event CountIPSignatureType
1443370.0.0.100000000000000000000000000000001ja3s
407080.0.0.100000000000000000000000000000001ja3

Certs Information#

Common NameEvent CountIPIssuerIssuer Common NamePort
dns.dummy4180.0.0.1CN=WR2, O=Dummy Trust Services, C=USWR2853
dns.dummy3720.0.0.1CN=WR2, O=Dummy Trust Services, C=USWR2443

API Usage#

Used QueriesRemaining QueriesQuery LimitFoundation Used QueriesFoundation Remaining QueriesFoundation Query Limit
26149739500001500

scout-ip-list#


Returns the summary information available for the given list of IP addresses.

Base Command#

scout-ip-list

Input#

Argument NameDescriptionRequired
ip_addressesA comma-separated list of IP addresses to retrieve available IP details. Note: Maximum of 10 IP addresses are allowed.Required

Context Output#

PathTypeDescription
TeamCymruScout.IP.ipStringThe IP address.
TeamCymruScout.IP.country_codeStringThe country code.
TeamCymruScout.IP.as_info.asnNumberThe autonomous system number.
TeamCymruScout.IP.as_info.as_nameStringThe autonomous system name.
TeamCymruScout.IP.insights.overall_ratingStringThe overall rating for the IP address.
TeamCymruScout.IP.insights.insights.ratingStringThe individual insight rating for the IP address.
TeamCymruScout.IP.insights.insights.messageStringThe individual insight message for the IP address.
TeamCymruScout.IP.tags.idNumberThe ID of the tag.
TeamCymruScout.IP.tags.nameStringThe name of the tag.
TeamCymruScout.IP.tags.children.idNumberThe ID of the child tag.
TeamCymruScout.IP.tags.children.nameStringThe name of the child tag.
TeamCymruScout.IP.tags.children.childrenUnknownThe children of the child tag.
TeamCymruScout.QueryUsage.command_nameStringThe name of the Cortex XSOAR command that triggered the Foundation API.
TeamCymruScout.QueryUsage.request_idStringThe unique request ID of the Foundation API response.
TeamCymruScout.QueryUsage.ipsUnknownThe list of IP addresses for which the Foundation API was triggered.
TeamCymruScout.QueryUsage.used_queriesNumberThe number of queries used.
TeamCymruScout.QueryUsage.remaining_queriesNumberThe number of remaining queries.
TeamCymruScout.QueryUsage.query_limitNumberThe total number of queries allowed.
TeamCymruScout.QueryUsage.foundation_api_usage.used_queriesNumberThe number of queries used for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.remaining_queriesNumberThe number of remaining queries for the Foundation API.
TeamCymruScout.QueryUsage.foundation_api_usage.query_limitNumberThe total number of queries allowed for the Foundation API.
IP.AddressStringIP address.
IP.Relationships.EntityAStringThe source of the relationship.
IP.Relationships.EntityBStringThe destination of the relationship.
IP.Relationships.RelationshipStringThe name of the relationship.
IP.Relationships.EntityATypeStringThe type of the source of the relationship.
IP.Relationships.EntityBTypeStringThe type of the destination of the relationship.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.HostnameStringThe hostname that is mapped to this IP address.
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Geo.DescriptionStringAdditional information about the location.
IP.DetectionEnginesNumberThe total number of engines that checked the indicator.
IP.PositiveDetectionsNumberThe number of engines that positively detected the indicator as malicious.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.TagsUnknown(List) Tags of the IP address.
IP.FeedRelatedIndicators.valueStringIndicators that are associated with the IP address.
IP.FeedRelatedIndicators.typeStringThe type of the indicators that are associated with the IP address.
IP.FeedRelatedIndicators.descriptionStringThe description of the indicators that are associated with the IP address.
IP.MalwareFamilyStringThe malware family associated with the IP address.
IP.Organization.NameStringThe organization of the IP address.
IP.Organization.TypeStringThe organization type of the IP address.
IP.ASOwnerStringThe autonomous system owner of the IP address.
IP.RegionStringThe region in which the IP address is located.
IP.PortStringPorts that are associated with the IP address.
IP.InternalBooleanWhether the IP address is internal or external.
IP.UpdatedDateDateThe date that the IP address was last updated.
IP.Registrar.Abuse.NameStringThe name of the contact for reporting abuse.
IP.Registrar.Abuse.AddressStringThe address of the contact for reporting abuse.
IP.Registrar.Abuse.CountryStringThe country of the contact for reporting abuse.
IP.Registrar.Abuse.NetworkStringThe network of the contact for reporting abuse.
IP.Registrar.Abuse.PhoneStringThe phone number of the contact for reporting abuse.
IP.Registrar.Abuse.EmailStringThe email address of the contact for reporting abuse.
IP.CampaignStringThe campaign associated with the IP address.
IP.TrafficLightProtocolStringThe Traffic Light Protocol (TLP) color that is suitable for the IP address.
IP.CommunityNotes.noteStringNotes on the IP address that were given by the community.
IP.CommunityNotes.timestampDateThe time in which the note was published.
IP.Publications.sourceStringThe source in which the article was published.
IP.Publications.titleStringThe name of the article.
IP.Publications.linkStringA link to the original article.
IP.Publications.timestampDateThe time in which the article was published.
IP.ThreatTypes.threatcategoryStringThe threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.
IP.ThreatTypes.threatcategoryconfidenceStringThe confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad).
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command example#

!scout-ip-list ip_addresses="0.0.0.1"

Context Example#

{
"DBotScore": [
{
"Indicator": "0.0.0.1",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ip",
"Vendor": "Team Cymru Scout"
}
],
"IP": [
{
"Address": "0.0.0.1",
"ASN": 13335,
"ASOwner": "NET, US",
"Region": "US",
"Description": "0.0.0.1 has been identified as a \"cdn\", indicating private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598, as well as net that have not been allocated to a Regional Internet Registry (RIR) by the Internet Assigned Numbers Authority.",
"Geo": {
"Country": "US"
},
"Organization": {
"Name": "NET, US"
},
"Tags": "cdn: (cloudflare)"
}
],
"TeamCymruScout": {
"IP": [
{
"ip": "0.0.0.1",
"country_code": "US",
"as_info": [
{
"asn": 13335,
"as_name": "NET, US"
}
],
"insights": {
"overall_rating": "suspicious",
"insights": [
{
"rating": "suspicious",
"message": "0.0.0.1 has been identified as a \"cdn\", indicating private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598, as well as net that have not been allocated to a Regional Internet Registry (RIR) by the Internet Assigned Numbers Authority."
}
]
},
"tags": [
{
"id": 81,
"name": "cdn",
"children": [
{
"id": 210,
"name": "cloudflare"
}
]
}
]
}
],
"QueryUsage": {
"command_name": "scout-ip-list",
"foundation_api_usage": {
"query_limit": 0,
"remaining_queries": 0,
"used_queries": 3
},
"ips": [
"0.0.0.1"
],
"query_limit": 50000,
"remaining_queries": 49840,
"request_id": "00000000-0000-0000-0000-000000000001",
"used_queries": 160
}
}
}

Human Readable Output#

Summary Information for the given Suspicious IP: 0.0.0.1#

Country CodeAS InfoInsightsTags
US- asn: 13335
as_name: NET, US
overall_rating: suspicious
insights:
- rating: suspicious
message: 0.0.0.1 has been identified as a "cdn", indicating private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598, as well as net that have not been allocated to a Regional Internet Registry (RIR) by the Internet Assigned Numbers Authority.
- id: 81
name: cdn
children:
- id: 210
name: cloudflare

API Usage#

Used QueriesRemaining QueriesQuery LimitFoundation Used QueriesFoundation Remaining QueriesFoundation Query Limit
1604984050000300