Publisher: Splunk
Connector Version: 2.0.6
Product Vendor: AbuseIPDB
Product Name: AbuseIPDB
Product Version Supported (regex): ".*"
Minimum Product Version: 4.9.39220
This app integrates with AbuseIPDB to perform investigative actions
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a AbuseIPDB asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| api_key | required | password | API Key |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
lookup ip - Queries IP info
post ip - Report an IP for abusive behavior
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Queries IP info
Type: investigate
Read only: True
The AbuseIPDB service has a limit of 1000 lookups per day.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IPv4 to query | string | ip |
| days | required | Check for IP Reports within this number of days | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.days | numeric | |
| action_result.parameter.ip | string | ip |
| action_result.data.*.data.abuseConfidenceScore | numeric | |
| action_result.data.*.data.countryCode | string | |
| action_result.data.*.data.countryName | string | |
| action_result.data.*.data.domain | string | domain url |
| action_result.data.*.data.ipAddress | string | ip |
| action_result.data.*.data.ipVersion | numeric | |
| action_result.data.*.data.isPublic | boolean | |
| action_result.data.*.data.isWhitelisted | boolean | |
| action_result.data.*.data.isp | string | |
| action_result.data.*.data.lastReportedAt | string | |
| action_result.data.*.data.reports.*.categories | numeric | |
| action_result.data.*.data.reports.*.comment | string | |
| action_result.data.*.data.reports.*.reportedAt | string | |
| action_result.data.*.data.reports.*.reporterCountryCode | string | |
| action_result.data.*.data.reports.*.reporterCountryName | string | |
| action_result.data.*.data.reports.*.reporterId | numeric | |
| action_result.data.*.data.totalReports | numeric | |
| action_result.data.*.data.usageType | string | |
| action_result.summary.reports_found | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric | |
| action_result.data.*.data.numDistinctUsers | numeric |
Report an IP for abusive behavior
Type: generic
Read only: False
Reports an IP given the categories. The categories can be found in Report Categories. There is a limit on reporting the same IP for an interval of 15 minutes. There is a comment limit of 1024 characters.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IPv4 to report on | string | ip |
| category_ids | required | Comma delineated list of category IDs | string | |
| comment | optional | Description of malicious activity | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.category_ids | string | |
| action_result.parameter.comment | string | |
| action_result.parameter.ip | string | ip |
| action_result.data | string | |
| action_result.summary.categories_filed | numeric | |
| action_result.summary.comment_length | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric | |
| action_result.data.*.data.ipAddress | string | |
| action_result.data.*.data.abuseConfidenceScore | numeric |