AbuseIPDB
App Vendor: AbuseIPDB
Connector Category: Data Enrichment & Threat Intelligence
Connector Version: 1.0.0
API Version: 1.0.0
Supported Product Version: 1.0.0
About App
AbuseIPDB aids combat the spread of hackers, spammers, and abusive activity on the internet. In Orchestrate, AbuseIPDB helps provide a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.
Action Name | Description |
|---|---|
Get IP address reputation details | This action gets the reputation details of an IP address in AbuseIPDB. |
Check subnet reputation | This action gets the reputation of a subnet from AbuseIPDB. |
Report malicious IP address | This action reports a malicious IP address to AbuseIPDB. |
Configuration Parameters
The following configuration parameters are required for the AbuseIPDB app to communicate with the AbuseIPDB enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API token | Enter the API token for authentication. | Text | Required |
Action: Get IP Address Reputation Details
This action gets the details of an IP address from AbuseIPDB. You can inspect details regarding the IP address such as the version, country of origin, usage type, ISP, and domain name, along with the reports from AbuseIPDB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP address | Enter the IP address. Example: 192.168.1.1 | Text | Required | |
Detailed report | Specify if you want a detailed report (which includes comments, categories, country name, and other details) for the IP address. | Boolean | Optional | Default value: False |
Get Reports Since | Enter the number of days to look back for reports. | Integer | Optional | Default value: 30 days Min value: 1 day Max value: 365 days |
Example Request
[
{
"ip_address": "103.219.112.48",
"detailed_report": true,
"get_report_since": 340
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the IP address. |
app_instance.data.abuseConfidenceScore | Integer | The abuse confidence score for the IP address. A rating of 100 indicates absolute certainty that an IP address is malicious, whereas a rating of 0 signifies no suspicion of malicious activity associated with the IP address. Example: 0 |
app_instance.data.countryCode | String | The country code associated with the IP address. Example: CN |
app_instance.data.countryName | String | The country name associated with the IP address. Example: China |
app_instance.data.domain | String | The domain associated with the IP address. Example: tencent.com |
app_instance.data.hostnames | Array | The hostnames associated with the IP address. |
app_instance.data.ipAddress | String | The IP address being analyzed. |
app_instance.data.ipVersion | Integer | The version of the IP address. Example: 4 |
app_instance.data.isPublic | Boolean | Whether the IP address is public. Example: false |
app_instance.data.isTor | Boolean | Whether the IP address is associated with Tor. Example: false |
app_instance.data.isWhitelisted | Boolean | Whether the IP address is whitelisted in AbuseIPDB. Example: false |
app_instance.data.isp | String | The Internet Service Provider associated with the IP address. Example: "Private IP Address LAN" |
app_instance.data.lastReportedAt | String | The last time the IP address was reported. Example: "2024-06-02T20:18:55+00:00" |
app_instance.data.numDistinctUsers | Integer | The number of distinct users that reported the IP address. Example: 2 |
app_instance.data.reports | Array of Objects | A list of reports associated with the IP address. |
app_instance.data.reports.categories | Array of String | Categories associated with the report. Example: [5, 18] |
app_instance.data.reports.comment | String | The comment associated with the report. |
app_instance.data.reports.reportedAt | String | The time the report was submitted. Example: "2024-06-02T20:18:55+00:00" |
app_instance.data.reports.reporterCountryCode | String | The country code of the reporter. Example: "US" |
app_instance.data.reports.reporterCountryName | String | The country name of the reporter. Example: "United States of America" |
app_instance.data.reports.reporterId | String | The ID of the reporter. Example: 101994 |
app_instance.data.totalReports | Integer | The total number of reports for the IP address. Example: 5 |
app_instance.data.usageType | String | The usage type of the IP address. Example: "Reserved" |
Action: Check Subnet Reputation
This action gets the stats of an IP subnet (v4 or v6) denoted with CIDR notation (example: 127.0.0.1/24) from AbuseIPDB. The user can inspect details regarding the IP address such as the netmask of the subnet, the number of hosts it can possibly contain, and the assigned description of the address space.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP address subnet | Enter the IP address subnet in CIDR notation. Example: 192.168.1.0/24 | Text | Required | |
Get reports since | Enter the preceding number of days to fetch reports. | Integer | Optional | Default value: 30 days Min value: 1 day Max value: 365 days |
Example Request
[
{
"network_subnet": "117.6.243.150/24",
"get_report_since": 30
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
app_instance | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the subnet. |
app_instance.data.addressSpaceDesc | String | Description of the address space. Example: "Loopback" |
app_instance.data.maxAddress | String | The maximum address in the subnet. Example: "127.0.0.255" |
app_instance.data.minAddress | String | The minimum address in the subnet. Example: "127.0.0.0" |
app_instance.data.netmask | String | The netmask of the subnet. Example: "255.255.255.0" |
app_instance.data.networkAddress | String | The network address of the subnet. Example: "127.0.0.0" |
app_instance.data.numPossibleHosts | Integer | The number of possible hosts in the subnet. Example: 256 |
app_instance.data.reportedAddress | Array | A list of reported addresses within the subnet. |
app_instance.data.reportedAddress | Object | An object containing details of a reported address. |
app_instance.data.reportedAddress.abuseConfidenceScore | Integer | The AbuseIPDB confidence score for the reported IP address. Example: 0 |
app_instance.data.reportedAddress.countryCode | String | The country code associated with the reported IP address. |
app_instance.data.reportedAddress.ipAddress | String | The reported IP address. Example: "127.0.0.1" |
app_instance.data.reportedAddress.mostRecentReport | String | The timestamp of the most recent report for the IP address. Example: "2024-06-05T13:11:32+00:00" |
app_instance.data.reportedAddress.numReports | Integer | The number of reports for the IP address. Example: 3 |
Action: Report Malicious IP Address
This action reports a malicious IP address to AbuseIPDB. It allows users to submit details about abusive activities linked to an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP address | Enter the IP address to be reported. Example: 192.168.1.1 | Text | Required | |
List of categories | Enter the comma-separated category numbers associated with the IP address. | Text | Required | Allowed values: 3 - fraud orders 4 - DDoS attack 5 - FTP brute-force 6 - ping of death 7 - phishing 8 - fraud VoIP 9 - open proxy 10 - web spam 11 - email spam 12 - blog spam 13 - VPN IP 14 - port scan 1 15 - hacking 16 - SQL injection 17 - spoofing 18 - brute-force 19 - bad web bot, 20 - exploited host, 21 - web app attack 22 - ssh 23 - IOT targeted |
Description | Enter a descriptive text of the attack which may include server logs, port numbers, and more. Example: 'SSH login attempts with user root' | Text | Optional |
Example Request
[
{
"categories": "15",
"ip_address": "120.136.167.86",
"description": "This IP Address found in Cyber Threat Intelligence by Guardicore Cyber Threat Feed, ref: https://threatintelligence.guardicore.com/ip/120.136.167.86"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the reported IP address. |
app_instance.data.abuseConfidenceScore | Integer | The AbuseIPDB confidence score for the IP address. A rating of 100 indicates absolute certainty that an IP address is malicious, whereas a rating of 0 signifies no suspicion of malicious activity associated with the IP address. Example: 0 |
app_instance.data.ipAddress | String | The reported IP address. Example: "192.168.1.3" |