Hi,
I have got a list of IP's which was accesed by a process and was enriched with a block and now wanted to check if they are suspicious.
Is there a any way where i can give the list of IP's ( may be in a loop ) and verify if suspicious or not.
Regards,
Laxmikant
If you have SecOps Enterprise Plus you should also have Google Threat Intel and use that to get reports on those IP addresses. If not you can go to https://www.virustotal.com and load the IPs in there one at a time and get reports on each one.
If you have VirusTotalV3 integration in SOAR, you may use a manual case with no entities, Create an Entity with your list of IPs with delimiter (e.g. comma) to create all those IPs as entities in this case, and then use Enrich IP from VirusTotalV3.
Enrichment Actions (e.g. VirusTotal enrich IP) handles looping natively for any entity type ADDRESS in the Alert. If you have an Alert with those IPs already created just run the Action Enrich IP.
If the IPs are not already entities, you can create them manually or with an Actions "Create Entities", type=ADDRESS, delim="," and then paste the IPs in (e.g. 1.1.1.1,2.2.2.2,3.3.3.3)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.