UltraGeoPoint IP Decisioning Data Now in Splunk
Over a decade ago Neustar acquired a company named Quova, which mapped IP addresses to geographies and ownership. Neustar built upon the core data set, expanding it into what is now called UltraGeoPoint. The data has been improved upon (i.e., smaller prefixes => more granularity => more accuracy, additional data fields, more proxy insights), but the same basic principles apply – assignment of IPv4/v6 addresses to a geography (postal code), to ownership (ASN), and other routing information (e.g., mobile or cable modem or VPN proxy).
Although Splunkbase, Splunk’s community of partners, includes many good security operational tools and technical add-ons spanning information and event management systems, threat intelligence platforms, and managed detection and response providers, some of our key clients expressed an interest in having access to UltraGeoPoint data. We agreed that the broader, deeper range of our IP data would be a useful addition to Splunk, and began work on a Neustar developed, native Splunk App.
We partnered with an experienced, specialized dev team to build an app that primarily downloads and deflates the compressed UltraGeoPoint ASCII file and adds it to the Splunk KV Store1, and plugs it into the key Splunk components that allow for lookups against the Neustar data.
Think of this native Splunk app as an alternative, we believe with more accurate and complete data, to the Splunk built-in "iplocation" function.
This data is used in a wide variety of applications - anything from geo-fencing content distribution for compliance (i.e., OFAC, live sports blackouts) and supporting geographic compliance in online gaming and gambling to helping reduce risk/fraud/threats for any IP address log data.
This data can also span a variety of industries like e-commerce transactions, account logins, and general data enrichment for threat models. It can be used to drive user experience improvements like showing local currency and language. And of course, it can be used for directional marketing (e.g., user is on AT&T wireless) but not individual tracking... all data is GDPR and CCPA compliant.
It is used both in real-time (CAPCHTA) and post-analysis decision making by teams like the corporate InfoSec team.
Overview
Recommended installation is through Splunkbase.
Disclaimer: I am not a Splunk expert but I’m slowly (and sometimes painfully) learning more than I thought I needed to know.
There is a wide variety of use cases where this data will be used in Splunk, but any existing IP address data can be enriched through ad-hoc lookups or batch jobs using lookup tables.
For instance, an ad-hoc query to Neustar's class B:
<code> | makeresults count=1 | eval clientip="156.154.0.0" | ultrageopoint clientip </code>
Using the lookup table requires a few steps with loading the data, assigning permissions, and then running the "ultrageopoint" command on the lookup table w/ configured lookup definition.
<code> | inputlookup sample | ultrageopoint prefix="neustar" allfields=true ip_address </code>
...where "sample" is the name of the lookup definition and ip_address is the header row of the CSV lookup table - that I would name "sample.csv".
Technical Details
- Requires Splunk >= 8; Enterprise and Cloud
- 200 GB of disk space
- Neustar UltraGeoPoint Data is not Indexed; Splunk (mostly) charges on indexed data
- Neustar posts the customer's file to a Neustar administered AWS S3 bucket (current but Azure and GCP can be supported)
- Neustar will provide client with ARN and ExternalId
- Client will create a role/user and add the ARN and ExternalId to the policy of the user
Going Forward
This is just the first version of the app and we will continue to evolve the offer based on our clients' needs. The app is open source and Neustar will provide the source code to UltraGeoPoint customers upon request.
We are always open to discussing native integrations into the handful of other good choices including ArcticWolf, Exabeam, SumoLogic, and many others.
Please reach out to us to discuss your requirements.
1. Source