Splunk Search

Custom IP Reputation

bbraun
New Member

Hi

My end goal is to create a custom IP reputation table that tracks successful and failed logins by IP address and assigns a numeric score as result. For every successful auth it increments the score by 2 and every fail it decrements the score by 1. Ideally we would want a ceiling of 20 and a floor of -20. I realize we would have to play with those thresholds but its a good start.

0 Karma

harishalipaka
Motivator

hi @bbraun

try this

<form hideAppBar="true" hideSplunkBar="true" hideEdit="true" hideTitle="true" hideChrome="true">
  <label>IP Reputation Checking Dashboard</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <html id="titlepanel">
                 <style>.btn-primary { margin: 5px 10px 5px 0; }
                      #reportTitle {
                        float: left;
                        margin-left: 30rem;
                      }
                      img {
                      float:left;
                      }
                      #username {
                        float: right;

                      }
                      #titlepanel{
                      background: #1c2e61;
                      }

                      .dashboard-header {
                          display: none;
                      }

                 </style>

          </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary || Count of Records- $output$</title>
      <input type="time" token="timetk" searchWhenChanged="true">
        <label>Select Time Range</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <finalized>
            <set token="output">$job.resultCount$</set>
          </finalized>
          <query>|makeresults |eval ip="192.0.0.127"</query>

          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="ip">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$ip$">
    <panel>
      <input type="checkbox" token="tokReset">
        <label></label>
        <change>
          <unset token="ip"></unset>
          <unset token="form.tokReset"></unset>
        </change>
        <choice value="hide">Close_X</choice>
        <delimiter> </delimiter>
      </input>
      <html>
       <iframe src="https://www.projecthoneypot.org/ip_$ip$" width="100%" height="300">></iframe>
     </html>
    </panel>
  </row>

</form>
Thanks
Harish
0 Karma

woodcock
Esteemed Legend

Schedule a saved search like this:

|tstats WHERE index=* FROM datamodel=Authentication count(eval(authentication.action=="failure")) AS subtractme count(eval(authentication.action=="success")) AS addme BY host
| inputlookup append=t YourReputationLookup.csv
| stats first(reputation) AS reputation, first(addme) AS addme, first(subtractme) AS subtractme BY host
| eval reputation = reputation + addme - subtractme
| table host reputation
| outputlookup YourReputationLookup.csv
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...