Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Actions reference

All actions run on IP Address entities and also accept an optional comma-separated IP Addresses parameter. Only public, globally-routable unicast IPs are processed - private, reserved, multicast, and SOAR-internal addresses are skipped and reported, never silently dropped.

Looks up each IP against the ELLIO CTI API, writes ELLIO_* context onto the entity, marks malicious and promiscuous IPs suspicious, adds the threat-intelligence insight card, and returns a recommended case priority.

Recommended priority. Returned as the script result recommended_priority: High when any malicious IP was found, otherwise None. The action never changes the case priority - a playbook applies the recommendation.

Fields written onto the entity (ELLIO_ prefix; a field is written only when ELLIO has the data):

Field Meaning
ELLIO_classification malicious / promiscuous / unknown / benign
ELLIO_tags / ELLIO_tag_ids behavior detections (human labels and stable machine ids)
ELLIO_cve CVEs the IP was observed exploiting
ELLIO_actor attributed operator (research org for scanners, threat group when known)
ELLIO_spoofable whether the observed traffic could be spoofed (False = confirmed direct)
ELLIO_rdns reverse-DNS hostname
ELLIO_country / ELLIO_country_name / ELLIO_continent source geolocation
ELLIO_ports / ELLIO_non_spoofable_ports observed destination ports
ELLIO_muonfp / ELLIO_ja3 / ELLIO_ja4 network fingerprints
ELLIO_http_path / ELLIO_http_user_agent observed HTTP request paths and user agents
ELLIO_first_seen / ELLIO_last_seen first and last observed by ELLIO
ELLIO_direction the IP’s role in this alert (source / destination), from the alert’s own flows

Long lists are capped for display (for example ports on a mass scanner), with a (+N more) marker. An IP not tracked by ELLIO is reported as Not in ELLIO - a lookup failure, by contrast, fails the action so a playbook can branch on it.

Parameter Default Purpose
IP Addresses - additional comma-separated IPs
Create Insight true add the threat-intelligence insight card per enriched IP

Classifies IPs against ELLIO Common Business Services - known cloud, CDN, SaaS, ISP, security, and crawler infrastructure - and adds the provider insight card. A CBS match means the IP belongs to a known service, not that it is safe or malicious; combine with Enrich IP for the threat verdict.

Fields written (ELLIO_CBS_ prefix): cidr, providers, types, services, regions, ids, direction.

The script result is true when any IP matched a CBS range.

Parameter Default Purpose
IP Addresses - additional comma-separated IPs
Create Insight true add the Common Business Services insight card per match

Lets you push IP addresses to an ELLIO Blocklist Automation ruleset, from where they distribute to your enforcement points - typically as a playbook response action behind a human-approval step.

Parameter Default Purpose
IP Addresses - additional comma-separated IPs
Rule Name auto override for the rule name; the default is parsable case context: secops_case=<id> | alert=<name> | ellio=<classification>
Expires In Days 14 rule expiry; 0 creates a permanent rule
Conflict Resolution extend extend / override / skip / fail for an existing rule on the same IP

The JSON result reports each IP as added, failed (with the reason), or skipped (SOAR-internal or not a public IP).

In ELLIO Platform, the pushed IP appears in the ruleset under IP Sources → My IP Rulesets, carrying the case context in its rule name and the configured expiry:

A SecOps-pushed IP in the ELLIO ruleset: parsable case-context rule name and expiration

Validates connectivity and credentials against the ELLIO API. No parameters.