top_attackers_tool
Retrieve a ranked leaderboard of attack sources, grouped by IP, country, ASN, port, or user agent. Filter results by country, port, or ASN to identify top attackers over specific time ranges.
Instructions
Ranked leaderboard of attack sources. Use for: 'who is attacking the most?', 'top attacking countries', 'most targeted ports', 'most common user agents', 'top ASNs by attack volume', 'top IPs from China', 'top attackers hitting port 22'. 'by' controls grouping: ip, asn, country, port, user_agent, ja4, url_path. Optional filters: country (2-letter ISO, e.g. 'CN'), dest_port, asn (e.g. 'AS12345'). Adding a filter is required for large time ranges to stay within memory limits. since/until are ISO-8601 UTC strings.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| since | Yes | ||
| until | Yes | ||
| by | No | ip | |
| limit | No | ||
| country | No | ||
| dest_port | No | ||
| asn | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |