For most Security Information and Event Management (SIEM) operators, their days are literally filled with IP addresses. So filled, in fact, the IPs begin to fade into the background of all that other machine data from all those API, website, network, and application access logs they’re continuously ingesting into their SIEMs.
And that means major cyber threats go undetected – sometimes even for years.
Why? Well, even when operators do see all those IP addresses, they’re just numbers. As the dictionary defines it:
- a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.
Pretty vague, eh? Individual IP addresses themselves are equally vague to all those cybersecurity professionals out there trying hard day-in, day-out to use their SIEM to detect, identify, and respond to cyber threats.
What they need is a way to make all those IPs have meaning. A method of determining instantly whether each IP is worthy of a closer look to see if it’s a potential cybercrime threat they can head off before it’s too late.
Enter our Musubu API apps and plugins for leading SIEMs like Splunk.
Musubu IP Threat Intelligence App for Splunk SIEM
This past week here at Musubu, we launched our first version of “Musubu IP Threat Data for Splunk” in the form of a Splunk app and add-on. The new app lets you quickly benefit from our powerful and focused IP and network threat intelligence scoring complete with vital details for any IP address in your SIEM.
Simply head to Splunkbase, find our app under the “Security, Fraud, and Compliance” category of 3rd party extensions and either download and install or install it directly into your Splunk Cloud instance:From there, head over to our Musubu 3rd Party Integrations page and buy our monthly API access plan for your “Musubu IP Threat Data for Splunk” app. Once you receive your API key from Musubu Support, head back over to your Splunk instance and add your key to the Musubu app Configuration tab.
Once installed, you can either enter one or more data inputs to see our threat profile by mousing over any IP address in the data or you can query our API endpoint directly right from Splunk with any IP address for which you’d like to do threat profiling.
Musubu’s data per IP allows SIEM operators to instantly see detailed and actionable threat data, such as:
- The level and severity of cyber threat per IP
- The types of threats associated with each IP
- The total volume of cyber threats per IP
- Other risky IPs in the same subnet
- The network IPs belong to and what type of network
The data fields for version 1.0 are as follows:
Threat Score – Numeric threat score between 0-100. The Score is calculated using “blacklist class”, “blacklist neighbors”, number of recent observations and country of origin.
Threat Classification – Classification derived from “threat potential score pct”
High – Threat score >70
Medium – Threat score from >40 but<70
Low – Any IP unlisted with a threat score <20
Nuisance – Threat score<40
Blacklist Class – Field classifying the specific threat vector that has been identified. Contains one of the following values: apache, blacklisted, botnet, botnetcnc, brute force, compromised, ftp, http, imap, mail, malware, phishing, ransomware, shunned, sips, ssh, TOR, worm, or zeus.
Blacklist Count – Field providing the number of sources which have identified the address as malicious.
Blacklist Network Neighbors – Field providing the number of addresses present on the same subnet which have been identified as malicious.
Blacklist Observations – Field providing the number of observations (of this IP) in the last 90 days.
By using the Musubu IP Threat Data for Splunk app in your SIEM, you gain immediate speed, efficiency, and insight. Typically, most SIEM operators must proceed through half a dozen steps or more for each and every IP they want to research as potentially malicious. With our app, you can cut that process down 1/10th of the time – and make critical cyber incident response or mitigation decisions much faster.
Stop wasting time and staring at meaningless IPs in your SIEM. Give those addresses some context and keep your entire enterprise safer with one simple Splunk application.
Try it out today! Want a free 7-day trial API key to use with our Splunk App? Just email email@example.com and ask for one.
More Resources for You
Intro to Splunk – https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Using Splunk as an Analytics-Driven SIEM – https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/siem-security-information-and-event-management.html
Splunk for Incident Detection and Response – https://www.splunk.com/en_us/cyber-security/security-analysis-response.html
Don’t Have a SIEM?
SIEM tools are EXPENSIVE. Head over to https://musubu.io/musubuapp and use our full-featured IP & Network Threat Intelligence Portal to identify, monitor, and act on network threats to your app, sites, and networks. Starting at only $9/month, it’s a tool that pays for itself within minutes of use!