Splunk SIEM Users Can Now Gain Instant Insight into Threats Represented by IP Addresses Found in Their Indexed Machine Data.
Musubu, a leading provider of IP address and network data APIs and applications for cybersecurity professionals and businesses large and small, announced the general availability of its “Musubu IP Threat Data for Splunk” add-on application in Splunkbase, Spunk’s marketplace of partner and community extensions for its core SIEM platform.
“Our Splunk app gives vital threat context to SIEMs that are most often chock-full of thousands of ‘raw’ IP addresses that don’t lend themselves to any quick analysis by operators,” said Greg Hunter, co-founder of Musubu and partner manager. “With our IP threat scoring and classification right in Splunk where all those IPs live, users can now make triage decisions instantly to identify potentially harmful cyber events much faster.”
The Musubu add-on is easily configured for almost any version of Splunk’s product by downloading it right from Splunkbase and purchasing a highly-affordable Musubu API key. Once installed, users can simply mouseover IP addresses within a chosen data source to see the following information:
Threat Score – Numeric threat score between 0-100. The Score is calculated using “blacklist class,” “blacklist neighbors,” the number of recent observations and country of origin.
Threat Classification – Classification derived from “threat potential score pct”
High – Threat score >70
Medium – Threat score from >40 but<70
Low – Any IP unlisted with a threat score <20
Nuisance – Threat score<40
Blacklist Class – Field classifying the specific threat vector that has been identified. Contains one of the following values: apache, blacklisted, botnet, botnetcnc, brute force, compromised, ftp, http, imap, mail, malware, phishing, ransomware, shunned, sips, ssh, TOR, worm, or zeus.
Blacklist Count – Field providing the number of sources which have identified the address as malicious.
Blacklist Network Neighbors – Field providing the number of addresses present on the same subnet which have been identified as malicious.
Blacklist Observations – Field providing the number of observations (of this IP) in the last 90 days.
By using the Musubu IP Threat Data for Splunk app, users gain immediate speed, efficiency, and insight for daily cyber threat detection operations. Typically, most SIEM operators must proceed through half a dozen or more steps for each and every IP they want to research as potentially malicious. With Musubu’s app, users can cut that process down 1/10th of the time – and make critical cyber incident response or mitigation decisions much faster.
“Any SIEM is instantly more useful to help head off cyber incidents when users can find ways to analyze the data more quickly and accurately to immediately see potential issues,” said Jason Polancich, co-founder of Musubu. “Our tool makes IP and network threats stand out in Splunk’s powerful platform.”
Musubu’s “Musubu IP Threat Data for Splunk” add-on can be downloaded directly from Splunkbase and activated in minutes with the purchase of a key from Musubu’s “Integrations” web page.