Locating IP Addresses

Security Splunk

Google Earth Through SplunkIn one of my old blog posts I talked about how to do a lookup of IP addresses to map them to a geo location. That time, I was showing how it is done on the command line and totally outside of Splunk. However, what I really wanted is a way to lookup the locations within Splunk whenever an IP address is shown in an event.

A lookup should take the IP address, figure out its coordinates and then plot the result on a map. What better to use than Google Earth and Google Maps. This is what my Google add-on does. The problem that I had to overcome was the mapping of the IP address to a location. I could have used some python library and put a python script into the add-on to actually do the translation. I found an easier solution by using a Web service to do the lookup for me. In addition to just translating the IP address to a geo location, the service even generates KML for me, which is the file format to describe for Google Earth where the IP address is located. The only thing I had to do is building a simple field action associated with IP addresses. After the add-on is installed, you click on the field action of an IP address. A new menu entry is then shown, which calls an external Web service that returns the KML file. This file you then open up in Google Earth. For your reference, here is the field action from the bundle:

[googleearth-1]
metaKeys=ip
uri=http://www.someservice.com/index.php/iptokml?ip={$ip}&comment={$ip}
label=Locate in Google Earth

Simple, isn’t it?

By Raffael Marty

Related Articles

FIN7 Tools Resurface in the Field – Splinter or Copycat?
Security
8 Minute Read

FIN7 Tools Resurface in the Field – Splinter or Copycat?

The Splunk Threat Research team addresses the two tools used by the well-organized and highly-skilled criminal group FIN7 — JSS Loader and Remcos.
Enhance Security Resilience Through Splunk User Behavior Analytics VPN Models
Security
5 Minute Read

Enhance Security Resilience Through Splunk User Behavior Analytics VPN Models

This blog introduces new machine learning models in Splunk UBA for VPN connection monitoring to enhance WFH security resilience.
CI/CD Detection Engineering: Dockerizing for Scale, Part 4
Security
9 Minute Read

CI/CD Detection Engineering: Dockerizing for Scale, Part 4

Get the latest from the Splunk Threat Research Team on CI/CD Detection Engineering.