AlienVault OTX Pipeline Rules

Graylog Central (peer support)
1

Hello everyone!

I am trying to configure AlienVault OTX to my Syslog servers for threat intel and I was wondering if you could provide me with some info regarding the pipeline rules.

I have already created a Data Adapter (AlienVault OTX) by adding the API key, created a Cache and a lookup table.

The next step is to configure the rules for the pipeline but I cannot figure out what rules should I use in order to generate the fields on each message I receive. I’ve browsed the web and found @ GitHub (GitHub - Graylog2/graylog-plugin-threatintel: Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases) the rule for OTX, but it required further tweaking. The rule is :

let intel = otx_lookup_ip(to_string($message.src_addr));
// let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);

I know that the specific plugin is outdated at GitHub, but the rule should be running since AlienVault OTX exists as Data Adapter.

Could you please assist me with the correct rule that could apply to OTX?

Thank you in advance!

2

Hey @Great_CF && Welcome

I went over the doc’s on Github, so looks like you installed the plugin, then restart Graylog service.
The Pipeline rule something liek this?

rule "alien vault "
when
  has_field("message")
then
let intel = otx_lookup_ip(to_string($message.src_addr));
// let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);
end

Add a second pipeline step that adds the field threat_indicated:tru

rule "inflate threat intel results"
when
  to_bool($message.src_threat_indicated) || to_bool($message.dst_threat_indicated)
then
  set_field("threat_indicated", true);
end

I woud suggest before making the pipeline rule you have the correct fields generated to ensure the pipline rule/s will work.
For something like this, perhaps use one pipeline with two different stages.

3

Hello @gsmith!

Yes, the pipeline is as you described and I have filled up the correct fields so it can index the source address and DNS. I have also tried to restart Graylog service but no luck :frowning:

I don’t know what else I am missing and it cannot start generating OTX reports. Any thoughts?

Thank you in advance!

4

Hi @Great_CF ,

I recommend a debug setting in the rule and look at the log file tail -n50 -f /var/log/graylog-server/server.log

...
then
debug("Check this");
let intel = otx_lookup_ip(to_string($message.src_addr));
// let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);
debug(*FIELD*);
end
...
1 Like
5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.