We are running multiple graylog servers set-ups with a combinations of enterprise and community editions .
As part of the security initiatives , we have decided to spin up the Graylog Threat Intel Plugins by referring to the blog - https://www.graylog.org/post/integrating-threat-intelligence-into-graylog-3
We have managed to see the malicious IP’s in the logs but the otx_lookup_ip is NOT flagging it as *threat_indicated:true * So , is there any OTX API Calls limitations in the community editions and what could be challenge when the same ip address when searched in the Open Threat Exchange (OTX) - IP Test lookup section on the graylog console shows the score with positive numbers ( non-zero) . For that matter , we would eager to know what fields from the lookup result would be cached for flagging it as threat_indicated as True ( “single_value”: 0,)
Steps to Reproduce the challenge :
- Create a grok pattern to find ONLY the public ip from the logs
- From the input , configure the extractor to match the grok pattern
- in the search section , you will seeing the new field getting populated as labeled in the step-2
- Follow & complete the steps mentioned in the link https://www.graylog.org/post/integrating-threat-intelligence-into-graylog-3 ( replace the src_addr / dst_addr fields in the rules with the names you have created in step-2 )
- In the search page , fields section - we will see the new additional fields cropping up once the pipeline rules matches from the logs . Fields like threat_indicated
- When we click on the threat_indicated values … it is all showing as Zero ( 0)
- When we handpick the known malicious ip’s from the same logs showing as Zero in the GUI and search using the test lookup option given the lookup_tables , it shows the value with Non Zero (6) which means it malicious to our understanding .
what are we missing ! GrayLog version is 3.0
Also , does the "Threat Intelligence Lookups:* rule take care of all these 3 feeds [abuse.ch Ransomware IP] [Tor Exit Node List] [Spamhaus DROP] or should we write explicit pipeline rules .
Do comment if we are missing any additional pre-requisites here ( internet connectivity ports
java version , etc … )