AbuseIPDB
AbuseIPDB is a cybersecurity tool that operates as a community-based IP blocklist database. It specializes in documenting and blocking malicious and suspicious IP addresses that pose potential threats.
Supported Actions and Prompt Examples
The following table lists the supported actions and prompt examples for the action:
Action Name | Description | Prompt Example |
|---|---|---|
Check IP Subnet Stats | This action retrieves the stats of an IP subnet (v4 or v6) denoted with CIDR notation (example: 127.0.0.1/24) from AbuseIPDB. For more information, see Action: Check IP Subnet Stats. | Check the stats for 192.168.1.0 using Abuse IPDB. |
Get IP Address Details | This action retrieves the details of an IP address in AbuseIPDB. You can inspect details regarding the IP address, such as the version, country of origin, usage type, ISP, and domain name, along with the reports from AbuseIPDB. For more information, see Action: Get IP Address Details. | Retrieve the details of the IP address 1.1.1.1 using Abuse IPDB. |
Report IP Address | This action reports an IP address to AbuseIPDB. It allows users to submit details about abusive activities linked to an IP address. For more information, see Action: Report IP Address. | Report 1.1.1.1 to AbuseIPDB with the category Phishing. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the AbuseIPDB app.
Steps:
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select AbuseIPDB and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Base URL: Enter the base URL to access AbuseIPDB. The default value is https://api.abuseipdb.com/api.
API Token: Enter an API token to authenticate requests.
Verify SSL: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with AbuseIPDB. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Check IP Subnet Stats
This action retrieves the stats of an IP subnet (v4 or v6) denoted with CIDR notation (example: 127.0.0.1/24) from AbuseIPDB. The user can inspect details regarding the IP address such as the netmask of the subnet, the number of hosts it can possibly contain, and the assigned description of the address space.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address Subnet | Enter the IP address subnet (v4 or v6) denoted with CIDR notation. Example: 192.168.1.0/24 | Text | Required | |
Detailed Report | Specify if you want a detailed report which includes comments, categories, country name, and other details for the IP address | Boolean | Optional | Default value: false |
Get Reports Since | Enter the preceding number of days to fetch reports. | Integer | Optional | Default value: 30 days Min value: 1 day Max value: 365 days |
Example Request
[
{
"network_subnet": "117.6.243.150/24",
"get_report_since": 30
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
app_instance | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the subnet. |
app_instance.data.addressSpaceDesc | String | Description of the address space. Example: "Loopback" |
app_instance.data.maxAddress | String | The maximum address in the subnet. Example: "127.0.0.255" |
app_instance.data.minAddress | String | The minimum address in the subnet. Example: "127.0.0.0" |
app_instance.data.netmask | String | The netmask of the subnet. Example: "255.255.255.0" |
app_instance.data.networkAddress | String | The network address of the subnet. Example: "127.0.0.0" |
app_instance.data.numPossibleHosts | Integer | The number of possible hosts in the subnet. Example: 256 |
app_instance.data.reportedAddress | Array | A list of reported addresses within the subnet. |
app_instance.data.reportedAddress | Object | An object containing details of a reported address. |
app_instance.data.reportedAddress.abuseConfidenceScore | Integer | The AbuseIPDB confidence score for the reported IP address. Example: 0 |
app_instance.data.reportedAddress.countryCode | String | The country code associated with the reported IP address. |
app_instance.data.reportedAddress.ipAddress | String | The reported IP address. Example: "127.0.0.1" |
app_instance.data.reportedAddress.mostRecentReport | String | The timestamp of the most recent report for the IP address. Example: "2024-06-05T13:11:32+00:00" |
app_instance.data.reportedAddress.numReports | Integer | The number of reports for the IP address. Example: 3 |
Action: Get IP Address Details
This action gets the details of an IP address from AbuseIPDB. You can inspect details regarding the IP address such as the version, country of origin, usage type, ISP, and domain name, along with the reports from AbuseIPDB.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP address | Enter the IP address. Example: 192.168.1.1 | Text | Required | |
Detailed report | Specify if you want a detailed report (which includes comments, categories, country name, and other details) for the IP address. | Boolean | Optional | Default value: False |
Get Reports Since | Enter the number of days to look back for reports. | Integer | Optional | Default value: 30 days Min value: 1 day Max value: 365 days |
Example Request
[
{
"ip_address": "103.219.112.48",
"detailed_report": true,
"get_report_since": 340
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the IP address. |
app_instance.data.abuseConfidenceScore | Integer | The abuse confidence score for the IP address. A rating of 100 indicates absolute certainty that an IP address is malicious, whereas a rating of 0 signifies no suspicion of malicious activity associated with the IP address. Example: 0 |
app_instance.data.countryCode | String | The country code associated with the IP address. Example: CN |
app_instance.data.countryName | String | The country name associated with the IP address. Example: China |
app_instance.data.domain | String | The domain associated with the IP address. Example: tencent.com |
app_instance.data.hostnames | Array | The hostnames associated with the IP address. |
app_instance.data.ipAddress | String | The IP address being analyzed. |
app_instance.data.ipVersion | Integer | The version of the IP address. Example: 4 |
app_instance.data.isPublic | Boolean | Whether the IP address is public. Example: false |
app_instance.data.isTor | Boolean | Whether the IP address is associated with Tor. Example: false |
app_instance.data.isWhitelisted | Boolean | Whether the IP address is whitelisted in AbuseIPDB. Example: false |
app_instance.data.isp | String | The Internet Service Provider associated with the IP address. Example: "Private IP Address LAN" |
app_instance.data.lastReportedAt | String | The last time the IP address was reported. Example: "2024-06-02T20:18:55+00:00" |
app_instance.data.numDistinctUsers | Integer | The number of distinct users that reported the IP address. Example: 2 |
app_instance.data.reports | Array of Objects | A list of reports associated with the IP address. |
app_instance.data.reports.categories | Array of String | Categories associated with the report. Example: [5, 18] |
app_instance.data.reports.comment | String | The comment associated with the report. |
app_instance.data.reports.reportedAt | String | The time the report was submitted. Example: "2024-06-02T20:18:55+00:00" |
app_instance.data.reports.reporterCountryCode | String | The country code of the reporter. Example: "US" |
app_instance.data.reports.reporterCountryName | String | The country name of the reporter. Example: "United States of America" |
app_instance.data.reports.reporterId | String | The ID of the reporter. Example: 101994 |
app_instance.data.totalReports | Integer | The total number of reports for the IP address. Example: 5 |
app_instance.data.usageType | String | The usage type of the IP address. Example: "Reserved" |
Action: Report IP Address
This action reports an IP address to AbuseIPDB. It allows users to submit details about abusive activities linked to an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to be reported. Example: 192.168.1.1 | Text | Required | |
Categories | Enter the comma-separated category numbers associated with the IP address. | Text | Required | Allowed values: 1 - DNS Compromise, 2 - DNS Poisoning, 3 - Fraud Orders, 4 - DDoS Attack, 5 - FTP Brute-Force, 6 - Ping of Death, 7 - Phishing, 8 - Fraud VoIP, 9- Open Proxy, 10 - Web Spam, 11 - Email Spam, 12 - Blog Spam, 13 - VPN IP, 14 - Port Scan, 15 - Hacking, 16 - SQL Injection, 17 - Spoofing, 18 - Brute-Force, 19 - Bad Web Bot, 20 - Exploited Host, 21 - Web App Attack, 22 - SSH, 23 - IoT Targeted |
Description | Enter a descriptive text of the attack which may include server logs, port numbers, and more. Example: SSH login attempts with user root | Text | Optional |
Example Request
[
{
"categories": "15",
"ip_address": "120.136.167.86",
"description": "This IP Address found in Cyber Threat Intelligence by Guardicore Cyber Threat Feed, ref: https://threatintelligence.guardicore.com/ip/120.136.167.86"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | The data object containing specific information about the reported IP address. |
app_instance.data.abuseConfidenceScore | Integer | The AbuseIPDB confidence score for the IP address. A rating of 100 indicates absolute certainty that an IP address is malicious, whereas a rating of 0 signifies no suspicion of malicious activity associated with the IP address. Example: 0 |
app_instance.data.ipAddress | String | The reported IP address. Example: "192.168.1.3" |