I have seen snippets, etc, on how to look up AbuseIPDB but not end to end, so I thought I would write an article on how to.
With this setup, you will be able to look up from the AbuseIPDB API system the score on an IP address. A subscription is needed to their system and you will only get so many lookups per day.
First, create a Lookup table data adaptor:
Title: AbuseIPDB_Lookup
Name: AbuseIPDB_Lookup
Lookup URL: https://api.abuseipdb.com/api/v2/check?ipAddress=${key}
Single value JSONPath: $.data.totalReports
Multi value JSONPath: $.data
HTTP User-Agent: graylog_useragent
For the HTTP Headers
Accept: application/json
Key: (YOUR API KEY)
You then need to create a Cache (These settings are down to personal preference of a balance between API calls and old data):
Title: AbuseIPDB_Lookup
Name: abuseipdb_lookup
Maximum entries: 10000
Expire after access: 3 hours
TTL for empty results: 10 seconds
Create a Lookup Table:
Title: AbuseIPDB_Lookup
Name: AbuseIPDB_Lookup
Data adaptor: AbuseIPDB_Lookup
Cache: AbuseIPDB_Lookup
Now we have our lookup table source to query. We now need to create a pipeline rule to lookup the IP to the AbuseIPDB.
Create a new Manage rule:
rule "AbuseIPDB Lookup"
when
has_field("src_IP")
then
let abuseipdb = lookup("AbuseIPDB_Lookup", to_string($message.src_IP));
set_field("abuseConfidenceScore", abuseipdb["abuseConfidenceScore"]);
end
Now create your manage pipeline and tie it to the rule and the stream you want.