Blog | G5 Cyber Security

Investigating AlienVault IP Alerts with Spiceworks

G5 Cyber Security

TL;DR

This guide shows you how to quickly get more information about potentially dodgy IPs flagged by AlienVault using the built-in features of Spiceworks. It’s all about turning an alert into useful data for your cyber security investigations.

Steps to Investigate AlienVault IP Alerts in Spiceworks

  1. Understand the Alert: When Spiceworks flags an IP address via AlienVault, it means that IP has been associated with known bad activity. Don’t panic, but *do* investigate.
    • Check the alert details within Spiceworks. It will show you the IP and a basic reputation score from AlienVault.
    • Note down the IP address – you’ll need it for further research.
  2. Use Spiceworks’ Built-in Lookup: Spiceworks often provides a quick lookup directly within the alert.
    • Click on the IP address in the Spiceworks alert. This *may* open a new page with more details, including AlienVault information if it’s available.
    • If this doesn’t show enough detail, move to step 3.
  3. Run a Whois Lookup: Find out who owns the IP address and where it’s located.
    • Spiceworks has a built-in network tool that can do this for you. Go to Inventory > Network Map, then search for the IP address.
    • Select the device (it might show as ‘Unknown Device’ if Spiceworks hasn’t identified it).
    • Click on the ‘Details’ tab and look for the ‘Whois Information’ section. This will give you registration details.
  4. Check AlienVault Directly (via Web Browser): For more in-depth information, go straight to the source.
    • Open a web browser and go to AlienVault OTX.
    • Enter the IP address into the search bar.
    • Review the ‘Indicators’ tab for associated malware, domains, and other related information. Pay attention to confidence levels.
  5. Reverse DNS Lookup: See if the IP address is linked to a specific hostname.
    • You can use online tools like NSLookup or command-line tools.
    • Command Line (Windows): 
      nslookup [IP Address]
    • Command Line (Linux/macOS): 
      host [IP Address]
    • A reverse DNS entry can give you clues about the purpose of the IP address.
  6. Check VirusTotal: See if other security vendors have flagged this IP.
    • Go to VirusTotal and enter the IP address.
    • Review the results from different antivirus engines and security services.
  7. Spiceworks Event Log Monitoring: If you’re seeing traffic *from* this IP, check your Spiceworks event logs.
    • Go to Monitor > Logs.
    • Filter the logs by the IP address. This will show you what systems on your network are communicating with it and what services are involved.
  8. Document Your Findings: Keep a record of everything you discover.
    • Note down the Whois information, AlienVault details, VirusTotal results, and any relevant event log entries in Spiceworks (using the ‘Notes’ field on the device or alert).
    • This documentation will be helpful if you need to escalate the issue or take further action.
Exit mobile version