Enricher - AbuseIPDB Enricher#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

AbuseIPDB Enricher

Supported observable types

  • ipv4

  • ipv6

Output

Indicator entity with associated observables.

API endpoint

https://api.abuseipdb.com/api/v2/check

Description

This enricher looks up for Domain, IPV4, IPV6, the enriched observable using the AbuseIPDB endpoint.

Requirements#

  • API URL AbuseIPDB.

  • AbuseIPDB API key.

Set up the enricher#

Before using the enricher, configure it to add your AbuseIPDB credentials:

  1. Go to Data configuration Data configuration icon > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More More > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    API key*

    Set this to your AbuseIPDB API key.

    API URL*

    Set this to the API Url

    Max age in days*

    Set the number of days to go back in time for retrieving reports.

  5. Click Save to store your changes.

Default configuration#

These are the default configuration parameters for the AbuseIPDB enricher:

Note

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as “AbuseIPDB Enricher”. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the AbuseIPDB enricher: ipv4 and ipv6

Enabled

Select to enable this enricher.

API URL*

Set to https://api.abuseipdb.com/api/v2/check by default.

API key*

Set this to your AbuseIPDB API key.

Max age in days*

Set to 30 by default.

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Enrichment result#

When the AbuseIPDB enricher is applied to an observable, it attaches a Report entity to the enriched observable.

Attached to the Report entity are associated observables.