AbuseIPDB is a project dedicated to helping systems administrators and webmasters check and report IP addresses that are involved in malicious activities such as spamming, hacking attempts, DDoS attacks, etc.
This document provides information about the AbuseIPDB connector, which facilitates automated interactions with AbuseIPDB using FortiSOAR™ playbooks. Add the AbuseIPDB connector as a step in FortiSOAR™ playbooks and perform automated operations, such as looking up an IP address in AbuseIPDB, or reporting an IP address to AbuseIPDB.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.1-2133
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the AbuseIPDB connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-abuseipdb
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the AbuseIPDB connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the AbuseIPDB API server to which you will connect and perform automated operations. For example, https://api.abuseipdb.com . |
API Token | API key to access the AbuseIPDB API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
IP Lookup | Performs IP lookup in AbuseIPDB based on the IP address you have specified. | ip_lookup Investigation |
Report IP | Reports a specific IP address that has been identified with malicious activities online to AbuseIPDB based on the IP address and malware category you have specified. | report_ip Miscellaneous |
Get IP Blacklist | Retrieves a list of all reported IP addresses from AbuseIPDB or a list of specific IP addresses from AbuseIPDB based on the input parameters you have specified. | get_ip_blacklist Investigation |
Parameter | Description |
---|---|
IP | IP address for which you want to perform a search and identify malicious activities online. |
Reports Within X Days | Number of days within which you want to check reports for the specified IP address in AbuseIPDB. Valid values are between 1 to 365 days. By default, this is set to 10 days. |
The output contains the following populated JSON schema:
{
"ipAddress": "",
"isPublic": "",
"ipVersion": "",
"isWhitelisted": "",
"abuseConfidenceScore": "",
"countryCode": "",
"usageType": "",
"isp": "",
"domain": "",
"hostnames": [],
"totalReports": "",
"numDistinctUsers": "",
"lastReportedAt": ""
}
Parameter | Description |
---|---|
IP | IP address that you want to report to AbuseIPDB that has been identified with malicious activities. |
Categories | Categories of malware in which you want to categorize the specified IP address in AbuseIPDB. You can choose from categories such as, Bad Web Bot, Blog Spam, Brute-Force, DDos Attack, DNS Compromise, etc, |
Comment | (Optional) Comment that you want to add with the reported IP. |
The output contains the following populated JSON schema:
{
"ipAddress": "",
"abuseConfidenceScore": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Confidence Minimum | Minimum confidence level that has been specified by users who have reported the malicious IP addresses to AbuseIPDB. If you specify this parameter, then this operation will retrieve the list of only those IP addresses that have their confidence level more than the value specified. Valid values are between 25 to 100. |
Limit | Maximum number of results, per page, that this operation should return. By default, this value is set as 10000. |
The output contains the following populated JSON schema:
{
"meta": {
"generatedAt": ""
},
"data": [
{
"ipAddress": "",
"abuseConfidenceScore": ""
}
]
}
The Sample - AbuseIPDB - 2.0.0
playbook collection comes bundled with the AbuseIPDB connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AbuseIPDB connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
AbuseIPDB is a project dedicated to helping systems administrators and webmasters check and report IP addresses that are involved in malicious activities such as spamming, hacking attempts, DDoS attacks, etc.
This document provides information about the AbuseIPDB connector, which facilitates automated interactions with AbuseIPDB using FortiSOAR™ playbooks. Add the AbuseIPDB connector as a step in FortiSOAR™ playbooks and perform automated operations, such as looking up an IP address in AbuseIPDB, or reporting an IP address to AbuseIPDB.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.1-2133
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the AbuseIPDB connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-abuseipdb
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the AbuseIPDB connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the AbuseIPDB API server to which you will connect and perform automated operations. For example, https://api.abuseipdb.com . |
API Token | API key to access the AbuseIPDB API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
IP Lookup | Performs IP lookup in AbuseIPDB based on the IP address you have specified. | ip_lookup Investigation |
Report IP | Reports a specific IP address that has been identified with malicious activities online to AbuseIPDB based on the IP address and malware category you have specified. | report_ip Miscellaneous |
Get IP Blacklist | Retrieves a list of all reported IP addresses from AbuseIPDB or a list of specific IP addresses from AbuseIPDB based on the input parameters you have specified. | get_ip_blacklist Investigation |
Parameter | Description |
---|---|
IP | IP address for which you want to perform a search and identify malicious activities online. |
Reports Within X Days | Number of days within which you want to check reports for the specified IP address in AbuseIPDB. Valid values are between 1 to 365 days. By default, this is set to 10 days. |
The output contains the following populated JSON schema:
{
"ipAddress": "",
"isPublic": "",
"ipVersion": "",
"isWhitelisted": "",
"abuseConfidenceScore": "",
"countryCode": "",
"usageType": "",
"isp": "",
"domain": "",
"hostnames": [],
"totalReports": "",
"numDistinctUsers": "",
"lastReportedAt": ""
}
Parameter | Description |
---|---|
IP | IP address that you want to report to AbuseIPDB that has been identified with malicious activities. |
Categories | Categories of malware in which you want to categorize the specified IP address in AbuseIPDB. You can choose from categories such as, Bad Web Bot, Blog Spam, Brute-Force, DDos Attack, DNS Compromise, etc, |
Comment | (Optional) Comment that you want to add with the reported IP. |
The output contains the following populated JSON schema:
{
"ipAddress": "",
"abuseConfidenceScore": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Confidence Minimum | Minimum confidence level that has been specified by users who have reported the malicious IP addresses to AbuseIPDB. If you specify this parameter, then this operation will retrieve the list of only those IP addresses that have their confidence level more than the value specified. Valid values are between 25 to 100. |
Limit | Maximum number of results, per page, that this operation should return. By default, this value is set as 10000. |
The output contains the following populated JSON schema:
{
"meta": {
"generatedAt": ""
},
"data": [
{
"ipAddress": "",
"abuseConfidenceScore": ""
}
]
}
The Sample - AbuseIPDB - 2.0.0
playbook collection comes bundled with the AbuseIPDB connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AbuseIPDB connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.