xThreatBook v1.0.234

Threatinfo Command

Description

This command fetches threat information from XThreatBook by API based on the IPs or URLs provided by the user.

Syntax

threatinfo threat_url=<fieldname> query_type=(scene_ip_reputation, ip_query, domain_query, scene_dns, ip_adv_query, domain_adv_query, domain_sub_domains, scene_domain_context)

Description

This command can fetch threat information from XThreatBook by API based on the IPs or URLs provided by the user.

• <query_type>: Optional, determines which type of XThreatBook API to use.
• <threat_url>: The "url" must be a field, and the result will be output into a field named "response".

Use SPL command "spath" to parse the result.

Example

.. | threatinfo threat_url=url

Example

Execute the following SPL command in the Splunk Search Head:

| makeresults
| eval url="159.203.93.255"
| threatinfo threat_url=url 

The "url" must be a field, and the result will be output into a field named "response". Then you can use SPL command "spath" to parse the result. This will add a field named "response" containing the XThreatBook API response. The field value will look like this:

{
    "data": {
        "159.203.93.255": {
            "severity": "low",
            "judgments": ["Zombie", "IDC", "Spam"],
            "tags_classes": [],
            "basic": {
                "carrier": "DigitalOcean, LLC",
                "location": {
                    "country": "United States",
                    "province": "New Jersey",
                    "city": "Clifton",
                    "lng": "-74.16366",
                    "lat": "40.858403",
                    "country_code": "US",
                },
            },
            "asn": {"rank": 4, "info": "DIGITALOCEAN-ASN, US", "number": 14061},
            "scene": "",
            "confidence_level": "low",
            "is_malicious": true,
            "update_time": "2020-10-29 16:47:43",
        }
    },
    "response_code": 0,
    "verbose_msg": "OK",
}