Hello all,
I have been working on getting the threat intel plugins provided by GL to work in my environment. For the most part the IP address lookups are working great but when I tried to use the dns lookup function, it classifies everything as not a threat. I plugged in some known malware and ransomware domains, still saying its not a threat.
I ended up switching to using the OTX plugin for domain lookups and it does do the lookups and gives me results but it just classifies way to much as a threat, such as bing, slack, msn, etc.
Are there any free or cheap alternatives to these that are known to work well? In reality I only care about high confidence, high risk IOCs, anything that classifies IOCs as low, med, high would be perfect.
Or are there any known issues in the dns question lookup feature? I basically did exactly as described on the github, with the exception of changing the field where the domain is being pulled from.