AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

Correlated events in Sentinel can be automatically provisioned to AbuseIPDB using the following script with the Execute Action.

Due to Bug # 944428 (you will need to login to see this bug), you will require at least Execute a Command 2011.1r2 or greater.

#!/bin/sh

ABUSIPDB_URL="https://www.abuseipdb.com/report/json"

#
# Function to display pretty usage details
#
usageDisplay()
{
    echo -e "\n"
    echo -e "Usage: $0 -k=TEXT -c=TEXT -m=TEXT -i=TEXT -t=TEXT\n"
    echo -e "Mandadory arguments to long options are mandatory for short options too."
    echo -e "\n"
    echo -e "  -k, --key=TEXT                AbuseIPDB API Key"
    echo -e "  -c, --category=TEXT           Comma delimited list of Categories"
    echo -e "  -m, --message=TEXT            The message to go with Report"
    echo -e "  -i, --ip=TEXT                 IP Address to Report"
    echo -e "  -t, --time=TEXT               Event Time Epoch"
    echo -e "\n"
    echo -e "  -?, --help                    display this help and exit"
    echo -e "\n"
}

#
# Process parsed parameters and set variables
#
for i in "$@"
 do
    case $i in
        -?|--help)
            usageDisplay
            exit 1
        ;;
        -k=*|--key=*)
            AIPDB_K=${i#*=}
            shift
        ;;
        -c=*|--category=*)
            AIPDB_C=${i#*=}
            shift
        ;;
        -m=*|--message=*)
            AIPDB_M="${i#*=}"
            AIPDB_M="${AIPDB_M//[\'\"\`]}"
            AIPDB_M="${AIPDB_M//\$/\\\$}"
            AIPDB_M="${AIPDB_M//\{/\\\{}"
            AIPDB_M="${AIPDB_M//\}/\\\}}"
            shift
        ;;
        -i=*|--ip=*)
            AIPDB_I=${i#*=}
            shift
        ;;
        -t=*|--time=*)
            AIPDB_T=${i#*=}
            AIPDB_T=$((${AIPDB_T}/1000))
            shift
        ;;
        *)
        ;;
    esac
done

#
# Check for required parameters
#
if [ -z "${AIPDB_K}" ] || [ -z "${AIPDB_C}" ] || [ -z "${AIPDB_M}" ] || [ -z "${AIPDB_I}" ]
 then
    usageDisplay
    exit 2
fi

ABUSEIPDB_COMMAND="curl -XPOST --user-agent \"Mozilla/5.0\" -H \"Accept: application/json;\" -H \"Accept-language: en-AU,en;\" \"${ABUSIPDB_URL}\" -d \""

#
# Add API Key to query
#
if [ -n "${AIPDB_K}" ]
 then
    if [ -n "${ABUSIPDB_QUERY}" ]
     then
        ABUSIPDB_QUERY="${ABUSIPDB_QUERY}&"
    fi
    ABUSIPDB_QUERY="${ABUSIPDB_QUERY}key=${AIPDB_K}"
fi

#
# Add Categories to query
#
if [ -n "${AIPDB_C}" ]
 then
    if [ -n "${ABUSIPDB_QUERY}" ]
     then
        ABUSIPDB_QUERY="${ABUSIPDB_QUERY}&"
    fi
    ABUSIPDB_QUERY="${ABUSIPDB_QUERY}category=${AIPDB_C}"
fi

#
# Add Comment to query
#
if [ -n "${AIPDB_M}" ]
 then
    if [ -n "${ABUSIPDB_QUERY}" ]
     then
        ABUSIPDB_QUERY="${ABUSIPDB_QUERY}&"
    fi
    if [ -n "${AIPDB_T}" ]
     then
        ABUSIPDB_QUERY="${ABUSIPDB_QUERY}comment=EventTime:`date -d@${AIPDB_T}`,${AIPDB_M}"
    else
        ABUSIPDB_QUERY="${ABUSIPDB_QUERY}comment=${AIPDB_M}"
    fi
fi

#
# Add IP to query
#
if [ -n "${AIPDB_I}" ]
 then
    if [ -n "${ABUSIPDB_QUERY}" ]
     then
        ABUSIPDB_QUERY="${ABUSIPDB_QUERY}&"
    fi
    ABUSIPDB_QUERY="${ABUSIPDB_QUERY}ip=${AIPDB_I}"
fi

#
# Append Query to command line
#
if [ -n "${ABUSIPDB_QUERY}" ]
 then
    ABUSEIPDB_COMMAND="${ABUSEIPDB_COMMAND}${ABUSIPDB_QUERY}"
fi

ABUSEIPDB_COMMAND="${ABUSEIPDB_COMMAND}\""

eval ${ABUSEIPDB_COMMAND}
exit $?

To configure the Action, you will need to set some arguments:

  • Command: /path/to/AbuseIPDB.sh
  • Arguments: -k=APIKEY -c=7,14,15,20 -i=$SourceIP$ -m="Protocol:$Protocol$,VendorEventCode:$VendorEventCode$,TargetPort:$TargetPort$,SourceIP:$SourceIP$,SourcePort:$SourcePort$" -t=$EventTime$

-k= is the APIv1 Key from AbuseIPDB.

-c= is a comma delimited list of AbuseIPDB categories.

-m= is the message to be logged with the report.

-i= is the Source IP of the exploited host.

-t= is the Event Time (Sentinel Correlation forwards this as a millisecond Epoch), the script converts this to a human readable timestamp and prepends it to the message.

More articles on my Website.

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
ScorpionSting
Aug 10, 2018
4:24 pm
Reads:
618
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow