Enrich observables with AbuseIPDB threat intelligence

Dynatrace® now integrates with AbuseIPDB to provide threat intelligence context for observables, helping your organization combat online threats, such as cyberattacks, spamming, and other malicious activities.

In today’s continuously evolving threat landscape, enterprises face hundreds of suspicious activities coming from potentially malicious actors. Various security tools are capable of identifying suspicious activity and reporting it. However, Security Operations (SOC) and Incident Detection and Response (IDR) teams are often overwhelmed by the number of alerts and detections generated by these tools.

How can you distinguish between yet another false positive and a real threat? And how can you know that your organization’s response will be as fast as possible?

Threat intelligence context provides a strong indication of the maliciousness of detected activities based on industry reports. Whether it’s a random malicious act that affects some organizations or a comprehensive threat-actor activity that jeopardizes the whole industry, threat intelligence provides the additional context your teams need to decide how much attention to give to a certain alert.

Uplevel your security investigations with Dynatrace

The Dynatrace® platform integrates with various security detection tools and offers runtime context to better filter incoming alerts and focus only on those that impact your sensitive services and applications, which draws your organization’s internal prioritization considerations towards important alerts.

An additional element for reducing alert noise and achieving better prioritization of security alerts is threat intelligence context. Such context represents the external factors that must be taken into consideration during triaging.

Dynatrace integrates with AbuseIPDB and offers threat intelligence enrichment for observables, such as IP addresses. With the provided threat context, such as IP reputation, your security teams can perform:

• Threat-informed security investigations: Enhance your security investigations by leveraging IP reputation data to detect anomalous and malicious activity in Security Investigator.
• Automated threat-alert triaging: Classify and prioritize alerts using enriched threat intelligence in Workflows.

Easy AbuseIPDB integration via Dynatrace Apps

The AbuseIPDB integration is delivered as a Dynatrace app that can be installed in-product using the Dynatrace Hub.

As soon as the integration is installed, you can start using the threat intelligence enrichment capabilities in Workflows using the dedicated workflow action. It’s possible to configure multiple connections to AbuseIPDB and use your preferred connection for each workflow action.

Dynatrace also provides you with a sample workflow, which demonstrates an end-to-end
automated threat-alert triaging use case. This sample workflow processes new critical detection findings and, based on the reputation of the involved IP addresses, decides whether to notify relevant stakeholders.

What’s next

The AbuseIPDB threat intelligence enrichment capabilities are not limited to workflow use cases. We’re working on enabling other Dynatrace® Apps, such as Security Investigator and Threat and Exploits, to natively support the AbuseIPDB integration and provide the additional context as part of each user journey.

Get started

For full details of the prerequisites and steps for setting up the AbuseIPDB integration, please visit our documentation, Enrich threat observables with AbuseIPDB.