AbuseIPDB

Use the AbuseIPDB integration to report and identify IP addresses that have been associated with malicious activity online.

Use Cases

Check, Report, and get Blacklist of top malicious IPs.

Configure AbuseIPDB on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AbuseIPDB.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • API Key (v2).
    • IP Threshold. Minimum score from AbuseIPDB analysis to consider the IP malicious. (>20).
    • Max reports age.
    • Disregard quota errors.
  4. Click Test to validate the API Key, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Check if an IP address is in the AbuseIP database: ip
  2. Query a block of IP addresses: abuseipdb-check-cidr-block
  3. Report an IP address: abuseipdb-report-ip
  4. Get a list of the most reported IP addresses: abuseipdb-get-blacklist
  5. Get a list of report categories: abuseipdb-get-categories

1. Check if an IP address is in the AbuseIP database


Checks the specified IP address against the AbuseIP database.

Base Command

ip

Input
Argument Name Description Required
ip IP address to check Required
days Time range to return reports for (in days), default is 30 Optional
verbose Report length, "true" returns the full report, "false" does not return reported categories, default is "true" Optional
threshold Minimum score from AbuseIPDB to consider the IP malicious (must be greater than 20), default is 80 Optional

Context Output
Path Type Description
AbuseIPDB.IP.Address unknown IP address
AbuseIPDB.IP.AbuseConfidenceScore unknown Confidence score fetched from AbuseIPDB
AbuseIPDB.IP.TotalReports unknown The number of times this address has been reported
AbuseIPDB.IP.Geo.Country unknown Country associated with this IP Address
AbuseIPDB.IP.Address.Reports unknown Reports summary (for "verbose" reports)
DBotScore.Score unknown Analysis score
DBotScore.Vendor unknown Vendor name (AbuseIPDB)
DBotScore.Indicator unknown The IP address
DBotScore.Type unknown The type (ip)
AbuseIPDB.IP.Malicious.Vendor unknown The vendor that determined this IP address to be malicious
AbuseIPDB.IP.Malicious.Detections unknown The Detections that led to the verdict

Command Example

!ip ip=8.8.8.8 days=30 verbose=true

Context Example
Human Readable Output

image

2. Query a block of IP addresses


Queries a block of IPs to check against the database

Base Command

abuseipdb-check-cidr-block

Input
Argument Name Description Required
network IPv4 Address Block in CIDR notation. Required
days Time range to return reports for (in days), default is 30 Optional
limit Maximum number of IPs to check, default is 40 Optional
threshold Minimum score from AbuseIPDB to consider the IP malicious (must be greater than 20), default is 80 Optional

Context Output
Path Type Description
AbuseIPDB.IP.Address unknown IP address
AbuseIPDB.IP.AbuseConfidenceScore unknown Confidence score fetched from AbuseIPDB
AbuseIPDB.IP.Geo.Country unknown Country associated with this IP Address
AbuseIPDB.IP.TotalReports unknown The number of times this address has been reported
DBotScore.Score unknown Analysis score
DBotScore.Vendor unknown Vendor name (AbuseIPDB)
DBotScore.Indicator unknown The IP address
DBotScore.Type unknown The type (ip)
AbuseIPDB.IP.Malicious.Vendor unknown The vendor that determined this IP address to be malicious
AbuseIPDB.IP.Malicious.Detections unknown The Detections that led to the verdict

Command Example

!abuseipdb-check-cidr-block network="127.0.0.2/24" days="30" limit="40" threshold="80"

Human Readable Output

image

3. Report an IP address


Report an IP address to AbuseIPDB

Base Command

abuseipdb-report-ip

Input
Argument Name Description Required
ip The IP address to report Required
categories CSV list of category IDs (numerical representation or in their name) Required

Context Output

There is no context output for this command.

Command Example

!abuseipdb-report-ip ip=8.8.8.8 categories="18,22,23"

Human Readable Output

image

4. Get a list of the most reported IP addresses


Returns a list of the most reported IP addresses

Base Command

abuseipdb-get-blacklist

Input
Argument Name Description Required
days Time range to return reports for (in days), default is 30 Optional
limit Maximum number of IPs to retrieve, default is 50 Optional

Context Output
Path Type Description
AbuseIPDB.Blacklist unknown List of blacklisted IPs

Command Example

!abuseipdb-get-blacklist days=30 limit=5

Context Example
Human Readable Output

image

5. Get a list of report categories


Returns a list of report categories from AbuseIPDB

Base Command

abuseipdb-get-categories

Input

There are no input arguments for this command.

Context Output
Path Type Description
AbuseIPDB.Categories string List of AbuseIPDB categories

Command Example

!abuseipdb-get-categories

Human Readable Output

image

Additional Information

  • What is the "Confidence of Abuse" rating, and how is it calculated?
    AbuseIPDB confidence of abuse is a rating (0-100) of how confident we are, based on user reports, that an IP address is completely malicious. A rating of 100 means we are certain that an IP address is malicious, and a rating of 0 means we have no reason to suspect it is malicious.