API Integrations
Splunk
Machine Data Platform
Freemium, Enterprise-supported
Freemium, Enterprise-supported
Overview
Splunk is a software platform used to search, analyze, and visualize big data collected from websites, applications, sensors, devices, and more.
Splunk, which can be integrated with the Criminal IP API, is an automated data platform that allows access to and analysis of a larger amount of data simultaneously. By utilizing Splunk, visualized data in the form of graphs, reports, alerts, and dashboards can help solve various business problems.About Integrated API: Criminal IP Search
The Splunk Criminal IP Search app enables Splunk users to query and retrieve real-time IP address threat intelligence data from Criminal IP directly within the Splunk platform.
The Criminal IP Search App in Splunk enables users to view statistics on malicious IP addresses found within log data.
The Criminal IP Search App in Splunk allows users to analyze threat intelligence for specific IP addresses.
The Criminal IP Search app integrates with Splunk Search, allowing users to query Criminal IP data for specific IP addresses. It also enables retrieval of detailed analysis reports from Criminal IP on IPs identified in logs ingested into Splunk. This app utilizes the /asset/ip/report/summary endpoint of the Criminal IP API and detects IP types such as Mobile/Snort/VPN/Tor/Scanner/Hosting/Proxy.
Instructions
How to Install the Criminal IP Search App for Splunk
- Download and install the Criminal IP Search App from Splunkbase.
- Restart Splunk.
- Input your Criminal IP API Key on the Setup Page.
- Access the Criminal IP Search App and use the criminalip command.
Sample Commands:
- Single IP lookup: criminalip ip_address="1.1.1.1"
- Batch IP lookup: eval ip_address=dst_ip |criminalip
- Filter specific fields: eval ip_address=dst_ip |criminalip |table ip_address,outbound_score,issue,proxy,scanner
GitHub Repository: https://github.com/criminalip/CriminalIP-Splunk-Search-IP
About Integrated API: Criminal IP FDS
Criminal IP FDS app for Splunk integrates Criminal IP's IP address threat intelligence into Splunk dashboards to detect malicious users. By using Criminal IP FDS in Splunk, the presence of fraudulent activities related to login, registration, money transfer, item payment, and account takeover can be assessed based on IP addresses and visualized accordingly. The Criminal IP's API's /asset/ip/report is utilized to detect mobile IPs, malicious IPs, VPN IPs, Tor IPs, Scanners, Hosting IPs, and Proxy IPs.
These are some examples of the result in API.
$ curl --location --request GET "https://api.criminalip.io/v1/ip/data?ip=1.1.1.1&full=true" --header "x-api-key: <YOUR_API_KEY>"
{
"ip": "1.1.1.1"
"tags": {
"is_vpn": false
"is_cloud": false
"is_tor": false
"is_proxy": false
"is_hosting": true
"is_mobile": false
"is_darkweb": false
"is_scanner": false
"is_snort": true
}
"score": {
"inbound": 5
"outbound": 3
} ...
}
Instructions
- When you get a notification to restart, restart Splunk.
- Create the ‘idx_cip_fds’ Index.
- https://criminalip.io/, sign in, and create an API Key
- Use_2 the API in Criminal IP to generate log files in JSON format. {“datetime”: “2022-09-28 13:46:34”, “ip_score”: “Moderate”, “IP”: “223.38.40.211”, “country”: “Korea”, “as_name”: “SK Telecom”, “mobile”: true, “tag_category”: “mobile, vpn”, “ip_category”: “ddos (Medium), tor”} Learn more: Criminal IP FDS Usage Guide.pdf GitHub Repository: https://github.com/criminalip/CIP-FDS
- Check Criminal IP FDS in the dashboard.
