Enrich threat observables with AbuseIPDB

  • Latest Dynatrace
  • How-to guide
  • Preview

The Dynatrace integration with AbuseIPDB enhances alerts and detection investigations by providing valuable context for threat intelligence. This helps organizations combat online abuse, including cyber-attacks, spamming, and other malicious activities.

By enriching observability with reputation data from AbuseIPDB, you can conduct more efficient security investigations, automate alert triaging, and reduce noise through threat-aware prioritization. This streamlines incident response and enhances overall security posture.

Hub

Explore in Dynatrace Hub

Enrich observables with threat intelligence from AbuseIPDB.

How it works

abuseipdb mechanism

Dynatrace integration with AbuseIPDB is an app that you can install from Hub.

The app delivers a workflow action for observable enrichment in Workflows Workflows.

To prevent accidental edits or deletions across environments, connection setup now includes owner-based access control. This ensures reliable automation, avoids unexpected configuration loss, and aligns with minimal access requirements.

For details on sharing and permissions, see Access control for Connectors.

Various consumer apps can perform an on-demand enrichment of observables, for example, via a workflow action.

Dynatrace reaches out to AbuseIPDB to perform the observable enrichment.

The threat intelligence context is displayed within the consumer apps or in Workflows Workflows, helping you drive smarter decisions.

Prerequisites

See below for the AbuseIPDB and Dynatrace requirements.

AbuseIPDB requirements

Register with AbuseIPDB and create an API v2 key.

Dynatrace requirements

The following IAM permissions are required:

  • app-engine:apps:run
  • app-settings:objects:read
  • document:documents:read
  • settings:objects:read
  • storage:system:read
  • security-intelligence:enrichments:run

To run the enrichment workflow action, all the permissions above need to be enabled in Workflows Workflows as well.

  1. Go to the settings menu in the upper-right corner of Workflows Workflows and select Authorization settings.
  2. In Secondary permissions, search for and select the above-listed permissions.
  3. Select Save.

Get started

  1. In Dynatrace, open Hub.

  2. Look for AbuseIPDB and select Install.

  3. Select Set up , then select Configure new connection.

  4. Follow the on-screen instructions to set up the connection using the API key obtained in Prerequisites.

    Allowed outbound connections are extended automatically with api.abuseipdb.com.

    1. In Settings, go to Preferences > Limit Outbound Connections.
    2. Select Add item and add the domain.
    3. Select Save changes.

  5. Test the connection to ensure the correct configuration and save it.

Use cases

Once you set up the AbuseIPDB integration, you can leverage threat intelligence to enrich observables like IP addresses.

Key use cases include:

  • IP enrichment directly from investigation results in the Security Investigator app to accelerate threat validation and streamline case triage. For instructions, see Enrich IP addresses.

    1. In Workflows Workflows Workflows, create a new workflow or edit an existing one.
    2. In the Choose action pane, search for AbuseIPDB and select the AbuseIPDB check IP action.
    3. Enter the parameters required for the action to run.
    4. Run the workflow to validate the action and review the results.
    5. Continue with your automation definition.

    workflow sample

  • Automated threat-alert triaging

  • Threat-informed security investigations Coming soon

FAQ

Which observable types are currently supported?

Supported observables: IP addresses (more coming soon).

How will my AbuseIPDB API quotas will be affected from this integration?

For every new observable enrichment we perform a single API call.

Related tags
Threat Observability