Hello Alex,
i'm glad that you ask your question here. At the moment the enriched field is only the threatscore - so the third octet from the project honeypot response.
The third octet (5 in the example above) represents a threat score for IP. This score is assigned internally by Project Honey Pot based on a number of factors including the number of honey pots the IP has been seen visiting, the damage done during those visits (email addresses harvested or forms posted to), etc. The range of the score is from 0 to 255, where 255 is extremely threatening and 0 indicates no threat score has been assigned. In the example above, the IP queried has a threat score of "5", which is relatively low. While a rough and imperfect measure, this value may be useful in helping you assess the threat posed by a visitor to your site.
The forth octet is within the lookup script - but currently i do not forward them to Splunk as an enriched field. first i thought more about the use case that you have a bunch of activities (maybe logons etc.) with external IP's and you might want to find some "malicious" threats and there next to iplocation by country etc. an good indicator is to lookup how "bad" the ip is that tried this and investigate those with a bad scoring first.
But great if you have an use case where the type of visitor is important for you.
Any chance this could be updated so that the search engines don't get caught up in the actual threatscore data? Or perhaps offer more variables as an alternative to allow for a little more interpretation by users like me, in my own Splunk queries.
Yes you have a chance. Let me know if i did understand you correctly that you want the forth octet of the response in a field like "visitor_type" with the information of the visitor type.
Br
Matthias
... View more