For most Security Information and Event Management (SIEM) operators, their days are literally filled with IP addresses. So filled, in fact, the IPs begin to fade into the background of all that other machine data from all those API, website, network, and application access logs they’re continuously ingesting into their SIEMs.

And that means major cyber threats go undetected – sometimes even for years.

Why? Well, even when operators do see all those IP addresses, they’re just numbers. As the dictionary defines it:

IP ad-dress

noun

COMPUTING
  1. a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.

Pretty vague, eh? Individual IP addresses themselves are equally vague to all those cybersecurity professionals out there trying hard day-in, day-out to use their SIEM to detect, identify, and respond to cyber threats.

ip threat intelligence SIEM

What they need is a way to make all those IPs have meaning. A method of determining instantly whether each IP is worthy of a closer look to see if it’s a potential cybercrime threat they can head off before it’s too late.

Enter our Musubu API apps and plugins for leading SIEMs like Splunk.

Musubu IP Threat Intelligence App for Splunk SIEM

This past week here at Musubu, we launched our first version of “Musubu IP Threat Data for Splunk” in the form of a Splunk app and add-on. The new app lets you quickly benefit from our powerful and focused IP and network threat intelligence scoring complete with vital details for any IP address in your SIEM.

Simply head to Splunkbase, find our app under the “Security, Fraud, and Compliance” category of 3rd party extensions and either download and install or install it directly into your Splunk Cloud instance:splunk musubu app configurationFrom there, head over to our Musubu 3rd Party Integrations page and buy our monthly API access plan for your “Musubu IP Threat Data for Splunk” app. Once you receive your API key from Musubu Support, head back over to your Splunk instance and add your key to the Musubu app Configuration tab.

musubu app for splunk config screen

Once installed, you can either enter one or more data inputs to see our threat profile by mousing over any IP address in the data or you can query our API endpoint directly right from Splunk with any IP address for which you’d like to do threat profiling.

splunk-1-min

Musubu’s data per IP allows SIEM operators to instantly see detailed and actionable threat data, such as:

  • The level and severity of cyber threat per IP
  • The types of threats associated with each IP
  • The total volume of cyber threats per IP
  • Other risky IPs in the same subnet
  • The network IPs belong to and what type of network

The data fields for version 1.0 are as follows:

Threat Score – Numeric threat score between 0-100. The Score is calculated using “blacklist class”, “blacklist neighbors”, number of recent observations and country of origin.

Threat Classification – Classification derived from “threat potential score pct”

High – Threat score >70
Medium – Threat score from >40 but
<70
Low – Any IP unlisted with a threat score <20
Nuisance – Threat score
<40

Blacklist Class – Field classifying the specific threat vector that has been identified. Contains one of the following values: apache, blacklisted, botnet, botnetcnc, brute force, compromised, ftp, http, imap, mail, malware, phishing, ransomware, shunned, sips, ssh, TOR, worm, or zeus.

Blacklist Count – Field providing the number of sources which have identified the address as malicious.

Blacklist Network Neighbors – Field providing the number of addresses present on the same subnet which have been identified as malicious.

Blacklist Observations – Field providing the number of observations (of this IP) in the last 90 days.

By using the Musubu IP Threat Data for Splunk app in your SIEM, you gain immediate speed, efficiency, and insight. Typically, most SIEM operators must proceed through half a dozen steps or more for each and every IP they want to research as potentially malicious. With our app, you can cut that process down 1/10th of the time – and make critical cyber incident response or mitigation decisions much faster.

Stop wasting time and staring at meaningless IPs in your SIEM. Give those addresses some context and keep your entire enterprise safer with one simple Splunk application.

Try it out today! Want a free 7-day trial API key to use with our Splunk App? Just email support@musubu.io and ask for one.

 

More Resources for You

Intro to Splunk – https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html

Using Splunk as an Analytics-Driven SIEM – https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/siem-security-information-and-event-management.html

Splunk for Incident Detection and Response – https://www.splunk.com/en_us/cyber-security/security-analysis-response.html

Don’t Have a SIEM?

SIEM tools are EXPENSIVE. Head over to https://musubu.io/musubuapp and use our full-featured  IP & Network Threat Intelligence Portal to identify, monitor, and act on network threats to your app, sites, and networks. Starting at only $9/month, it’s a tool that pays for itself within minutes of use!

musubu-app-3-min

About the Author

Jason Polancich

Jason Polancich is app designer and digital marketing lead for Musubu.io. Polancich is a linguist, software engineer, data scientist, intelligence analyst, and real estate broker and investor with his wife and business partner Rebekah. He's also the founder and lead architect of VandalsSmile, a data-driven, small business marketing and lead generation network making big data work practically and usefully for owners. Polancich also originally created HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 that provided highly accurate, timely and actionable information to businesses regarding the cybercrime threats they face. Polancich is a serial entrepreneur focused on solving complex internet commerce, data analysis, and cyber-defense problems. Novii Design, a company he co-founded in 2005 with Rebekah Lewis-Polancich, was based on his contributions to cloud architectures, distributed computing, data analysis and systems integration. The company assisted the U.S. Intelligence Community and Department of Defense in building some of the largest data warehouse and analysis systems ever put into operation within the government and defense contracting sectors. Novii Design was sold to Six3/CACI in 2010. Polancich is also a service-disabled veteran of the U.S. Army. Amazon Author Profile.

Contact Me