topic Re: Custom IP Reputation in Splunk Search

Custom IP Reputation

bbraun — Mon, 11 Nov 2019 23:21:50 GMT

My end goal is to create a custom IP reputation table that tracks successful and failed logins by IP address and assigns a numeric score as result. For every successful auth it increments the score by 2 and every fail it decrements the score by 1. Ideally we would want a ceiling of 20 and a floor of -20. I realize we would have to play with those thresholds but its a good start.

Re: Custom IP Reputation

woodcock — Tue, 12 Nov 2019 01:23:02 GMT

Schedule a saved search like this:

|tstats WHERE index=* FROM datamodel=Authentication count(eval(authentication.action=="failure")) AS subtractme count(eval(authentication.action=="success")) AS addme BY host
| inputlookup append=t YourReputationLookup.csv
| stats first(reputation) AS reputation, first(addme) AS addme, first(subtractme) AS subtractme BY host
| eval reputation = reputation + addme - subtractme
| table host reputation
| outputlookup YourReputationLookup.csv

Re: Custom IP Reputation

harishalipaka — Tue, 12 Nov 2019 09:08:46 GMT

hi @bbraun

try this

<form hideAppBar="true" hideSplunkBar="true" hideEdit="true" hideTitle="true" hideChrome="true">
  <label>IP Reputation Checking Dashboard</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <html id="titlepanel">
                 <style>.btn-primary { margin: 5px 10px 5px 0; }
                      #reportTitle {
                        float: left;
                        margin-left: 30rem;
                      }
                      img {
                      float:left;
                      }
                      #username {
                        float: right;

                      }
                      #titlepanel{
                      background: #1c2e61;
                      }

                      .dashboard-header {
                          display: none;
                      }

                 </style>

          </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary || Count of Records- $output$</title>
      <input type="time" token="timetk" searchWhenChanged="true">
        <label>Select Time Range</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <finalized>
            <set token="output">$job.resultCount$</set>
          </finalized>
          <query>|makeresults |eval ip="192.0.0.127"</query>

          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="ip">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$ip$">
    <panel>
      <input type="checkbox" token="tokReset">
        <label></label>
        <change>
          <unset token="ip"></unset>
          <unset token="form.tokReset"></unset>
        </change>
        <choice value="hide">Close_X</choice>
        <delimiter> </delimiter>
      </input>
      <html>
       <iframe src="https://www.projecthoneypot.org/ip_$ip$" width="100%" height="300">></iframe>
     </html>
    </panel>
  </row>

</form>