AbuseIPDB
App Vendor: AbuseIPDB
Connector Category: Data Enrichment & Threat Intelligence
Connector Version: 1.2.0
API Version: 1.0.0
Supported Product Version: 1.0.0
About App
AbuseIPDB aids to combat the spread of hackers, spammers, and abusive activity on the internet. In Orchestrate, AbuseIPDB helps provide a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.
Action Name | Description |
|---|---|
Check IP Subnet Stats | This action gets the reputation of a subnet from AbuseIPDB. |
Get Blacklisted IPs | This action retrieves a list of blacklisted IPs. |
Get IP Address Details | This action retrieves IP address details from AbuseIPDB. |
Get Reports | This action retrieves reports based on the specified IP address. |
Report IP Address | This action reports a malicious IP address to AbuseIPDB. |
Generic Action | This is a generic action used to make requests to any AbuseIPDB endpoint. |
Configuration Parameters
The following configuration parameters are required for the AbuseIPDB app to communicate with the AbuseIPDB enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API token | Enter the API token for authentication. | Text | Required | |
Verify SSL | Enable this option to verify SSL while making requests. It is recommended to set this option to yes. If no is passed, it may result in an incorrect connection establishment, potentially resulting in a broken connection. | Boolean | Optional | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with AbuseIPDB. | Integer | Optional | Default value: 15 seconds Allowed range: 15 - 120 seconds |
Action: Check IP Subnet Stats
This action retrieves the stats of an IP subnet (v4 or v6) denoted with CIDR notation (example: 127.0.0.1/24) from AbuseIPDB. The user can inspect details regarding the IP address such as the netmask of the subnet, the number of hosts it can possibly contain, and the assigned description of the address space.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address Subnet | Enter the IP address subnet (v4 or v6) denoted with CIDR notation. Example: 192.168.1.0/24 | Text | Required | |
Get Reports Since | Enter the preceding number of days to fetch reports. | Integer | Optional | Default value: 30 days Min value: 1 day Max value: 365 days |
Example Request
[
{
"network_subnet": "117.6.243.150/24",
"get_report_since": 30
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
app_instance | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the subnet. |
app_instance.data.addressSpaceDesc | String | Description of the address space. Example: "Loopback" |
app_instance.data.maxAddress | String | The maximum address in the subnet. Example: "127.0.0.255" |
app_instance.data.minAddress | String | The minimum address in the subnet. Example: "127.0.0.0" |
app_instance.data.netmask | String | The netmask of the subnet. Example: "255.255.255.0" |
app_instance.data.networkAddress | String | The network address of the subnet. Example: "127.0.0.0" |
app_instance.data.numPossibleHosts | Integer | The number of possible hosts in the subnet. Example: 256 |
app_instance.data.reportedAddress | Array | A list of reported addresses within the subnet. |
app_instance.data.reportedAddress | Object | An object containing details of a reported address. |
app_instance.data.reportedAddress.abuseConfidenceScore | Integer | The AbuseIPDB confidence score for the reported IP address. Example: 0 |
app_instance.data.reportedAddress.countryCode | String | The country code associated with the reported IP address. |
app_instance.data.reportedAddress.ipAddress | String | The reported IP address. Example: "127.0.0.1" |
app_instance.data.reportedAddress.mostRecentReport | String | The timestamp of the most recent report for the IP address. Example: "2024-06-05T13:11:32+00:00" |
app_instance.data.reportedAddress.numReports | Integer | The number of reports for the IP address. Example: 3 |
Action: Get Blacklisted IPs
This action retrieves a list of blacklisted IPs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Limit | Enter the number of IPs to retrieve. | Integer | Optional | Default value: 10,000 |
Minimum Confidence | Enter the minimum confidence score to retrieve associated IPs. | Integer | Optional | Allowed range: 25 to 100 Default value: 100 |
Extra Params | Enter the extra parameters to retrieve the IPs. | Key Value | Optional | Allowed keys: plaintext, onlyCountries, exceptCountries, ipVersion |
Example Request
[
{
"extra_params": {
"onlyCountries": "US,MX,CA"
}
}
]Action: Get IP Address Details
This action gets the details of an IP address from AbuseIPDB. You can inspect details regarding the IP address such as the version, country of origin, usage type, ISP, and domain name, along with the reports from AbuseIPDB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP address | Enter the IP address. Example: 192.168.1.1 | Text | Required | |
Detailed report | Specify if you want a detailed report (which includes comments, categories, country name, and other details) for the IP address. | Boolean | Optional | Default value: False |
Get Reports Since | Enter the number of days to look back for reports. | Integer | Optional | Default value: 30 days Min value: 1 day Max value: 365 days |
Example Request
[
{
"ip_address": "103.219.112.48",
"detailed_report": true,
"get_report_since": 340
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the IP address. |
app_instance.data.abuseConfidenceScore | Integer | The abuse confidence score for the IP address. A rating of 100 indicates absolute certainty that an IP address is malicious, whereas a rating of 0 signifies no suspicion of malicious activity associated with the IP address. Example: 0 |
app_instance.data.countryCode | String | The country code associated with the IP address. Example: CN |
app_instance.data.countryName | String | The country name associated with the IP address. Example: China |
app_instance.data.domain | String | The domain associated with the IP address. Example: tencent.com |
app_instance.data.hostnames | Array | The hostnames associated with the IP address. |
app_instance.data.ipAddress | String | The IP address being analyzed. |
app_instance.data.ipVersion | Integer | The version of the IP address. Example: 4 |
app_instance.data.isPublic | Boolean | Whether the IP address is public. Example: false |
app_instance.data.isTor | Boolean | Whether the IP address is associated with Tor. Example: false |
app_instance.data.isWhitelisted | Boolean | Whether the IP address is whitelisted in AbuseIPDB. Example: false |
app_instance.data.isp | String | The Internet Service Provider associated with the IP address. Example: "Private IP Address LAN" |
app_instance.data.lastReportedAt | String | The last time the IP address was reported. Example: "2024-06-02T20:18:55+00:00" |
app_instance.data.numDistinctUsers | Integer | The number of distinct users that reported the IP address. Example: 2 |
app_instance.data.reports | Array of Objects | A list of reports associated with the IP address. |
app_instance.data.reports.categories | Array of String | Categories associated with the report. Example: [5, 18] |
app_instance.data.reports.comment | String | The comment associated with the report. |
app_instance.data.reports.reportedAt | String | The time the report was submitted. Example: "2024-06-02T20:18:55+00:00" |
app_instance.data.reports.reporterCountryCode | String | The country code of the reporter. Example: "US" |
app_instance.data.reports.reporterCountryName | String | The country name of the reporter. Example: "United States of America" |
app_instance.data.reports.reporterId | String | The ID of the reporter. Example: 101994 |
app_instance.data.totalReports | Integer | The total number of reports for the IP address. Example: 5 |
app_instance.data.usageType | String | The usage type of the IP address. Example: "Reserved" |
Action: Get Reports
This action retrieves reports based on the specified IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to retrieve the report. Example: 127.0.0.1 | Text | Required | Allowed types: IPv4, IPv6 |
Page | Enter the page number from which to retrieve results. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Max Age | Enter the number of days to filter reports created in the last specified days. | Integer | Optional | Maximum allowed value: 365 Default value: 30 |
Example Request
[
{
"ip_address": "127.0.0.1"
}
]Action: Report IP Address
This action reports an IP address to AbuseIPDB. It allows users to submit details about abusive activities linked to an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to be reported. Example: 192.168.1.1 | Text | Required | |
Categories | Enter the comma-separated category numbers associated with the IP address. | Text | Required | Allowed values: 1 - DNS Compromise, 2 - DNS Poisoning, 3 - Fraud Orders, 4 - DDoS Attack, 5 - FTP Brute-Force, 6 - Ping of Death, 7 - Phishing, 8 - Fraud VoIP, 9- Open Proxy, 10 - Web Spam, 11 - Email Spam, 12 - Blog Spam, 13 - VPN IP, 14 - Port Scan, 15 - Hacking, 16 - SQL Injection, 17 - Spoofing, 18 - Brute-Force, 19 - Bad Web Bot, 20 - Exploited Host, 21 - Web App Attack, 22 - SSH, 23 - IoT Targeted |
Description | Enter a descriptive text of the attack which may include server logs, port numbers, and more. Example: SSH login attempts with user root | Text | Optional |
Example Request
[
{
"categories": "15",
"ip_address": "120.136.167.86",
"description": "This IP Address found in Cyber Threat Intelligence by Guardicore Cyber Threat Feed, ref: https://threatintelligence.guardicore.com/ip/120.136.167.86"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the reported IP address. |
app_instance.data.abuseConfidenceScore | Integer | The AbuseIPDB confidence score for the IP address. A rating of 100 indicates absolute certainty that an IP address is malicious, whereas a rating of 0 signifies no suspicion of malicious activity associated with the IP address. Example: 0 |
app_instance.data.ipAddress | String | The reported IP address. Example: "192.168.1.3" |
Action: Generic Action
This is a generic action used to make requests to any AbuseIPDB endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method to use. Example: GET | Text | Required | Allowed values: GET, POST, PUT, PATCH, DELETE |
Endpoint | Enter the endpoint. Example: /report | Text | Required | |
Payload JSON | Enter the payload in JSON format. Example: { \"data\": [ {\"reason\": \"test\"}] } | Text | Optional | |
Query Params | Enter the query parameters in JSON format. Example: { \"limit\": \"10\" } | Key Value | Optional | |
Extra Fields | Enter the extra fields in key-value format. | Key Value | Optional | Allowed keys: payload_data, custom_output, download, filename, files, retry_wait, retry_count, and response_type. |