Hello, Can anybody recommend an Add-on for finding reputation of an IP in search results ?
With High hopes , i downloaded the Virustotal app https://splunkbase.splunk.com/app/4283/#/details , but was disappointed to find out that it does not show reputation score for an IP field. It does show for File hashes, Domain and URLs but not IPs.
Requirement is for a TA or add-on that we can use in our own searches and get the ip reputation as a field in the results
Hey @neerajs_81,
Can you please provide the use case specifically for needing app/TA to find the reputation of IP? I believe this can also be achieved by defining GET Workflow Actions that can fetch the IP from the fields and refer it to web URLs that are available to calculate the reputation score. Here's the link on how to define a GET workflow action: https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/SetupaGETworkflowaction
Thanks for responding. In our ES instance, we have a search in which we need to filter results based on the reputation / threat score of an IP -address. For example: We need to query our firewall logs to Show us only those users that have visited a destination IP that has a reputation score of greater than 7 as per Virustotal. Basically 7 out of 98 vendors have flagged that IP as malicious in VT.
Now, This destination IP in our events is stored in a field called "threat_match_value" . So we would end up adding a condition like below where 7 is the score fetched by the TA from VirusTotal.
| where threat_match_value > 7
Is this something possible via GET Worklow action ? Can GET Workflow be used to save whatever results it fetches from VT into a field that we can further leverage to compare against ?
Hope i am clear.
Hey Neeraj,
Thanks for explaining the use case. GET Workflow action will not be able to save the values in a field. It'll just redirect you to another website using the field you specify. And workflow actions would also not be helpful in achieving your objective. Will need to look for another solution to it.