Skip to main content

AbuseIPDB

Updated

AbuseIPDB is a community-driven threat-intelligence platform for reporting and checking malicious IP addresses.

Overview

AbuseIPDB aggregates crowd-sourced reports of abusive behavior (e.g., SSH brute force, DDoS, spam) and exposes them via a REST API. In Qevlar, you can use it to enrich investigations, power detections/hunts, and automate block/allow decisions.

How to integrate AbuseIPDB with Qevlar

Step 1: Navigate to Integrations

  1. Log in to your Qevlar AI platform
  2. In the left sidebar, click Integrations
  3. Browse or search for AbuseIPDB
  4. Click the Manage button on the AbuseIPDB card to open the configuration dialog

Step 2: Choose your integration method

Qevlar offers two options:

  • Option 1: Use Qevlar’s account (Quick start)
    1. Check “I want to use Qevlar’s account.”
    2. Click Save
info

This is the fastest way to get started. For heavier usage, dedicated rate limits, and auditability, prefer your own API key (Option 2).

  • Option 2: Use your personal AbuseIPDB API key (Recommended)

If you want your own quotas and audit trail, create an API key in AbuseIPDB and paste it into Qevlar.

Create an AbuseIPDB API key

Follow the steps below in your AbuseIPDB account.

  1. Open the Account area

From the top navigation bar, click Account.

AbuseIPDB top navigation with Account entry
  1. Go to the API tab and create a key

Open the API tab, then click Create Key.

AbuseIPDB dashboard on the API tab with Create Key action
  1. Name the key and create it

Give the key a meaningful name (e.g., Qevlar AI) and click Create.

Create API Key modal in AbuseIPDB
  1. Copy the generated key

Copy the newly created key. You will paste it into Qevlar.

Generated AbuseIPDB API key list with copy action
warning

Treat your API key like a password: never share it publicly or commit it to source control. Rotate immediately if exposed.

Step 3: Paste your key into Qevlar

  1. Return to the Qevlar AbuseIPDB integration dialog
  2. Select Use my API key
  3. Paste the key you just copied
  4. Click Test connection
  5. If the test succeeds, click Save

Using AbuseIPDB in Qevlar

Once connected, Qevlar can:

  • Enrich indicators with AbuseIPDB data (confidence score, total reports, categories, last reported)
  • Prioritize detections/hunts using score/recency thresholds
  • Automate actions in SOAR playbooks (e.g., temporary blocklists, ticketing, stakeholder alerts)
info

Start with conservative thresholds (e.g., confidence ≥ 60 and reported within the last 30 days) and tune to your environment.

Best Practices

  1. Key hygiene: Store in a secrets manager, rotate quarterly or upon suspicion of compromise
  2. Scoping: Use separate keys per environment (prod, staging, lab) for auditability
  3. Human-in-the-loop: Require approval for broad/long-lived network blocks driven by reputation only

Troubleshooting

  1. Connection test failed
    • Verify you pasted the key correctly (no leading/trailing spaces)
    • Ensure you selected Use my API key before testing
    • Check whether your key was deleted/rotated in AbuseIPDB
      • Try regenerating the key in AbuseIPDB and updating it in Qevlar
    • Free/low-tier keys have limited throughput
      • Consider upgrading your AbuseIPDB plan or staggering bulk lookups
    • Some IPs may be new or under-reported; corroborate with internal telemetry and other CTI sources