AbuseIPDB

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

AbuseIPDB is a project managed by Marathon Studios Inc. Their mission is to help make the Web safer by providing a central repository for webmasters, system administrators, and other interested parties to report and identify IP addresses that have been associated with malicious activity online. You can use the AbuseIPDB plugin with Microsoft Copilot for Security.

Set up the AbuseIPDBplugin

Integration with Copilot for Security works with an API key.

  1. Get your AbuseIPDB API key. If you don't have one yet, follow these steps:

    1. Go to the AbuseIPDB website.
    2. Select on the Sign Up button, located at the top right corner of the page.
    3. Fill in the required information, such as your email address, username, and password.
    4. Complete any other steps for verification, if necessary.
    5. Once registered, sign-in to your AbuseIPDB account.
  2. Access the API key.

    1. After logging in, go to the AbuseIPDB Homepage page.
    2. Navigate to the API tab and select on Create key.
    3. After clicking on Create Key a modal appears. You'll be asked to input a name; you can pick any name for your key. For example, enter "developer_key" and select the create button.
    4. The newly generated API key should populate on the same API tab. You need this same key-in later steps for the connector.
  3. Sign in to Microsoft Copilot for Security.

  4. Access Manage Plugins by selecting the Sources button from the prompt bar.

  5. Next to AbuseIPDBplugin, select Set up.

  6. In the AbuseIPDBplugin settings pane, in the Value field, paste your API Key, and then select Save.

Use the AbuseIPDBplugin plugin

After the AbuseIPDBplugin plugin is configured, you can the following skills with Copilot for Security.

The following table provides examples you can try:

Skill name Skill input Example prompts
CheckIPAddress

Accepts an IP address (v4 or v6) and provides information about the queried IP, including version, origin country, usage type, ISP, and domain. Abusive reports are included.
Required:
- ipAddress

Optional:
- maxAgeInDays (default 30, min 1, max 365)
- verbose
- Tell me about IP address 118.25.6.39 using AbuseIPDB database

- What does the abuseipdb database say about the IP address 180.126.219.127?

- I'm curious about any abuseipdb records for the IP address 180.126.219.127. Can you look that up for me for the last 10 days?
CheckNetworkBlock

This skill takes a subnet in CIDR notation (v4 or v6) and returns details about the queried network, including its netmask, possible hosts count, and address space description. URL-encode the network due to forward slashes in CIDR notation.
Required:
- network

Optional:
- maxAgeInDays(default 30, min 1, max 365)
- Check the network block 1.1.1.1/24 for any reported IP addresses within the past 10 days.

- I'm trying to find out if there are any reported IP addresses on the network block 1.1.1.1/24 in the past 10 days. Can you assist me with that?

- Could you help me check if any IP addresses are reported on the network block 1.1.1.1/24 within the last 10 days?
ListBlockListedIpAddresses

This skill returns a list IP addresses most reported by AbuseIPDB users with or without other filters. Entries include IP, abuse score, and last report timestamp, sorted by score and timestamp.
Optional:
- confidenceMinimum (default 100, min 25, max 100)
- limit(default 10,000, min 1, restrictions)
- plaintext
-onlyCountries
-exceptCountries
- ipVersion(default 4,6 mixed)
- List blocklisted IP addresses from AbuseIPDB

- According to AbuseIPDB, are there any blocklisted IP addresses from China?

See also

Other plugins for Microsoft Copilot for Security

Manage plugins in Microsoft Copilot for Security