ioc_lookup_tool
Query an IP address or domain against 90 days of honeypot data to assess malicious activity and known scanner behavior.
Instructions
Look up any IP address or domain in the honeypot dataset. Use this FIRST whenever the user asks: 'is this IP malicious?', 'is this a known scanner?', 'have you seen this IP?', 'what does this IP do?', 'when was it last seen?', 'is this IP in your data?'. Returns: total_events (0 = never observed), first_seen, last_seen, country, ASN, all ports targeted, top user agents, top URL paths, TLS/HTTP/SSH fingerprints. Covers both IPv4 and domains.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ioc | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||