Security Investigator offers reputation analysis and context for IP addresses

Resolving incidents and finding root causes are time-critical activities that require logged evidence to understand what happened in the system. Whether to prevent such incidents from happening again or to rule out a malicious hacking attempt, getting answers is the key, and logs are your best source for such evidence.

Log data alone, however, is often not enough to give you a complete overview. In the case of security incidents, the origin of a failed request or a login attempt is often the most valuable information you have in triaging a potential incident and determining its severity.

To speed up your threat hunting and incident response activities, Security Investigator now allows you to enrich IP addresses with additional context from third-party threat detection databases.

Fast insights into IP addresses

Dynatrace Security Investigator is one of the built-in apps shipped with Dynatrace. It's designed for evidence-driven security use cases based on the logs, metrics, and traces ingested into the Dynatrace Grail® data Lakehouse.

Imagine you're solving a security incident and need to understand more about the origin of an attack. You want to check the IP address reputation analysis provided by AbuseIPDB or VirusTotal, but manually looking up and pasting these addresses takes too much time. Not to mention, you want to keep this external reputation information tied to your investigation for future access.

By right-clicking an IP address in Security Investigator and selecting Enrich IP, you can choose your configured enrichment source to enrich the address. For this first release, Dynatrace offers IP enrichment insights from AbuseIPDB and VirusTotal.

Suppose you find something suspicious in your log data related to a certain IP address. You can now add the IP address and additional reputation analysis to your Suspicious IP evidence list in Security Investigator.

The IP address and corresponding enrichment data are now kept in the context of your investigation; you can revisit this enrichment data at any time.

Automatic IP evidence enrichment

You can now automatically enrich all the IP addresses you collect with evidence. In the evidence list enrichment menu, choose if enrichment should be enabled for all added elements by default, and which connection should be used to enrich the IP addresses that are added to your evidence list.

When you add new IP addresses to the evidence list, they're automatically enriched on your behalf using your selected enrichment connection.

Select the details icon to quickly access the persisted IP enrichment data that's fetched from each third-party source.