Hi
My end goal is to create a custom IP reputation table that tracks successful and failed logins by IP address and assigns a numeric score as result. For every successful auth it increments the score by 2 and every fail it decrements the score by 1. Ideally we would want a ceiling of 20 and a floor of -20. I realize we would have to play with those thresholds but its a good start.
hi @bbraun
try this
<form hideAppBar="true" hideSplunkBar="true" hideEdit="true" hideTitle="true" hideChrome="true">
<label>IP Reputation Checking Dashboard</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<html id="titlepanel">
<style>.btn-primary { margin: 5px 10px 5px 0; }
#reportTitle {
float: left;
margin-left: 30rem;
}
img {
float:left;
}
#username {
float: right;
}
#titlepanel{
background: #1c2e61;
}
.dashboard-header {
display: none;
}
</style>
</html>
</panel>
</row>
<row>
<panel>
<title>Summary || Count of Records- $output$</title>
<input type="time" token="timetk" searchWhenChanged="true">
<label>Select Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<table>
<search>
<finalized>
<set token="output">$job.resultCount$</set>
</finalized>
<query>|makeresults |eval ip="192.0.0.127"</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="ip">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>
<row depends="$ip$">
<panel>
<input type="checkbox" token="tokReset">
<label></label>
<change>
<unset token="ip"></unset>
<unset token="form.tokReset"></unset>
</change>
<choice value="hide">Close_X</choice>
<delimiter> </delimiter>
</input>
<html>
<iframe src="https://www.projecthoneypot.org/ip_$ip$" width="100%" height="300">></iframe>
</html>
</panel>
</row>
</form>
Schedule a saved search like this:
|tstats WHERE index=* FROM datamodel=Authentication count(eval(authentication.action=="failure")) AS subtractme count(eval(authentication.action=="success")) AS addme BY host
| inputlookup append=t YourReputationLookup.csv
| stats first(reputation) AS reputation, first(addme) AS addme, first(subtractme) AS subtractme BY host
| eval reputation = reputation + addme - subtractme
| table host reputation
| outputlookup YourReputationLookup.csv