This app allows you to enrich your IP Data with realtime threat information. Currently it's contacting the Project Honey Pot database via DNS-Blacklist requests.
Make sure to obtain an http:BL Authorization Key from http://www.projecthoneypot.org/httpbl_configure.php
added to the lookup to give back new fields to Splunk. Now the days_since_last_activity and visitor type are available as fields.
Version 1.0 Update to be CIM compliant and using new Simple XML Features of 6.2
Modified Critical Network Analyzer and Threat Map Dashboard to be CIM Compliant (tag=network tag=communication
Added field inputs to both dashboards to filter data including default values
Added "How it Works" html tags for descriptions
Added new bubble chart visualization to the critical network traffic analyzer for multible dimension risk investigation
fixed issue with wrong threat score for search engine ip's
App cleanup to make it more stable
* Removed the automatic lookup within the IP Reputation App to avoid to much lookups
* Removed the Report Acceleration for several reports
* Changed several objects from Global to App only sharing
Updated the Threat Map to Support Splunk's Version 6 native maps and iplocation command as well as pie charts on the map splited by Fields. Additional some Form Inputs to ensure users better understand how to use the App, what's behind the scene, which search is running and make it customizable on the fly to change fieldnames or custom filter down of events to lookup
Update the Icons + Graphics to be compatible to Splunk's Version 6 including bar images
* Created new Dashboard - Critical Network Traffic Analyzer.
Displaying bad network communication from the last 60 minutes, designed for Firewall logs. Dashboard is in simple xml to allow easy edit and customization in case some field names need to be corrected. Dashboard displays data which has event type "check_ip".
* based on community feedback, disabled scheduled searches for the KPI Dashboard, to avoid any performance impact if the dashboard is not used.
* compatible with Version 6.0 - new Dashboards, Integrated Map + Form, Icons etc. in the next upcoming Version
* fixed default permission to allow using the enrichment with ... " |lookup threatscore clientip" within the default search app and other apps, too.
* Improved Navigation Bar
* Added Info Page within the App
* Disabled in the Lookup script the text output for the lookups
If you want to activate it again you can activate it within the script by removing the comments - line 35,89,90,137
* moved all config files etc. to default config to make sure further updates do not overwrite local user configurations
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.