AbuseIPDB#
Version: 1.0.1 · Category: Threat Intelligence · Plan: Base+
AbuseIPDB is the world's largest collaborative IP abuse reporting database, covering millions of abuse records contributed by security teams globally. AttackTrace integrates four tools: single IP lookup, bulk detection, CIDR block analysis, and blacklist export.
Tools#
check_ip — Single IP reputation lookup#
| Return field | Description |
|---|---|
abuseConfidenceScore |
Abuse confidence score (0–100%) |
| Community risk level | Overall assessment (High/Medium/Low/No record) |
| ISP | Internet service provider |
usageType |
Usage type (datacenter, residential, VPN, etc.) |
| Country | IP's country of origin |
totalReports |
Total number of abuse reports |
numDistinctUsers |
Number of unique reporters |
Key parameters:
| Parameter | Default | Description |
|---|---|---|
max_age_days |
30 | Lookback window (1–365 days) |
verbose |
false | Include individual report details |
threshold |
75% | Custom flagging threshold |
bulk_check — Bulk IP reputation check#
Check up to 100 IPs in a single call, returning:
- Summary of flagged IPs
- Confidence score and risk level per IP
- ISP and country distribution
Supports the same max_age_days and threshold parameters as check_ip. Ideal for processing IP lists from firewall logs or EDR alerts.
check_block — CIDR block analysis#
Check all reported IPs within a CIDR block (e.g. 198.51.100.0/24):
- Block summary
- Total number of reported addresses
- High-risk IP list sorted by confidence score
Use confidence_threshold to set the high-risk classification threshold.
!!! warning "Requires subscription"
check_block requires a paid AbuseIPDB account.
get_blacklist — Global blacklist export#
Export the AbuseIPDB global blacklist:
| Parameter | Default | Description |
|---|---|---|
confidence_minimum |
90 | Minimum confidence score (25–100) |
limit |
— | Up to 500,000 entries |
plain_text |
false | Return a raw IP list (suitable for firewall rules) |
!!! warning "Requires subscription"
get_blacklist requires a paid AbuseIPDB account.
Configuration#
AbuseIPDB requires your own API key (BYOK).
| Item | Description |
|---|---|
| ABUSEIPDB_API_KEY | Your personal AbuseIPDB API key |
!!! info "Getting an API key"
Obtain one at abuseipdb.com/account/api. Free tier supports check_ip and bulk_check; check_block and get_blacklist require a paid subscription.
!!! tip "No API key? Use AttackThreat"
AttackThreat is built into the platform and covers IP reputation checks (enrich_ip and check_reputation) with no configuration required.
Investigation workflow#
1. check_ip ip:"<alert IP>" verbose:true
→ Get full abuse history and individual report details
2. bulk_check ip_addresses:["<IP1>","<IP2>","<IP3>"] threshold:50
→ Bulk triage suspicious IPs from firewall logs
3. check_block network:"<attacker CIDR>"
→ Assess an entire subnet associated with an attack campaign
4. get_blacklist confidence_minimum:100 limit:10000 plain_text:true
→ Export high-confidence blacklist for direct use in firewall block rules