i need help, I managed to insert the abusipDB API, but when creating the workflow I cannot send the IP of the query I make to check its reputation, it sends the entire query log. the variable in rapid7 that brings the log is: source_ip, can anyone shed some light?
Sorry for the late reply. I am happy to help, but will need more information.
Can you share some screenshots of your workflow. When you view the jobs page the step to send data to AbuseIP will also have some information that would be helpful.
Please screenshot the Input Tab so we can see what data is being passed.
When you open the variable selection menu for the abuse IP step, is “Source_IP” an array, a string, what data type does it show.
Hello, thanks for your attention. So, first I have the trigger, then I go to the alert we created and selected the workflow, everything is fine until, then, then it uses an action to extract the IP from the log of Rapid7 itself, I extracted it normally, I send it to IP checking, but I don’t know why it inserts some backslashes in the IP and ends up failing. Sometimes also in IP extraction, it brings up the browser version. Here are the images.
Can you please show the data you are working with. You said it is adding /. If you go to the jobs page and you go to the step “Action -3” Can you show the “Input” Tab, and the “Log” tab?
You are trying to send an array to a step that is meant to ingest a string. That is why it isn’t working.
You would want to choose a step type called “Loop”, and then you would choose that Source_IP variable as the array that your loop will iterate through.
Inside of your loop you will add your Abuse IP Check IP step.
What this will do is for every IP that is in your array, it will perform an individual lookup.
Hi, sorry for the delay. I don’t quite understand where the problem is, as I select the log from where I want to extract the IP, and send the output variable to abusedb and it adds the "", please, if you have any KB or images I would be Thank you for resolving this issue.
The action you want to use requires a variable that is a string.
What you are sending to it is a variable type called an array. An array is a list of items. The action requires a single item. You need to create a loop step. Loop over the variable that you are using in your abuse step. Within the loop have the abuse ip lookup step. Pass a variable that is a {{[“stepname”].[$item]}} to the abuse lookup step WITHIN the loop.
What this will do is for EACH ip in your array, it will perform a lookup.