+
Integrating AbuseIPDB with Splunk©
Integrating AbuseIPDB with Splunk©
*NEW* The AbuseIPDB Splunk App has been recently updated. The new release is compatible with Splunk© Enterprise versions 8+ and Splunk© Cloud. The following documentation and setup tutorial is intended for the newest version of the app.
AbuseIPDB provides free and premium APIs for reporting and checking IP addresses. Every day webmasters, system administrators, and other IT professionals use our API to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.
Splunk© is the world’s first Data-to-Everything Platform. Now organizations no longer need to worry about where their data is coming from, and they are free to focus on the business outcomes that data can deliver. Innovators in IT, Security, IoT and business operations can now get a complete view of their business in real time, turn data into business outcomes, and embrace technologies that prepare them for a data-driven future.
In this tutorial, we'll go over the basics of AbuseIPDB's integration with Splunk.
Integration
The AbuseIPDB App integrates with the following AbuseIPDB APIv2 endpoints:
- check
- report
- reports
- blacklist
- check-block
Pre-Requisites - Before You Start This Tutorial
Create an AbuseIPDB API v2 key
Before starting this tutorial, we assume that you have an account registered with AbuseIPDB, and have verified your domain and created an API v2 key. The API is free to use, but you do need to create an account first.
Download and set up Splunk©
Visit the Splunk© download page and select your Operating System for the proper download link.
Ensure that Splunk© Web is up and running
For information on starting Splunk© for the first time and launching Splunk© Web, visit their Documentation.
Install the app
- Once you are on Splunk© Web, navigate to Apps > Manage Apps.
- Click "Browse more apps"
- Search for the AbuseIPDB App, our official integration
- Click Install
App Setup
As of AbuseIPDB App V2.0.0, you will no longer put your API Key directly into a file. Instead, you now have to input
your key on the app's setup page.
To input your key and fully set up the app, you must open the app in your Splunk GUI,
at which point you will encounter the setup page and enter your key. Once your key is entered, you are ready to use the app.
If you wish to change the API Key you have saved, please see the AbuseIPDB App Setup tab and go through the process again.
Usage
Once the App is set up, you can use the following commands in the Splunk© search bar:
- abuseipdbcheck - Check an IP address against our database
- abuseipdbreport - Report an IP address
- abuseipdbreports - Get a list of reports for an IP address
- abuseipdbblacklist - Get a list of blacklisted IP addresses
- abuseipdbcheckblock - Check a block of IP addresses
You can also configure the app to download and keep-up-to-date a local copy of our blacklist inside a Splunk KV store. Further details, including in-depth tutorials and usage guides, can be found in the in-app documentation.
Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. © 2005-2020 Splunk Inc. All rights reserved.
Thanks for supporting AbuseIPDB! Do you have any feedback or suggestions about this tutorial? Please let us know!