How to configure a open source IT feeds in graylog


(Prakash A) #1

Dear All,

I need to configure third-party opensource in our Graylog server. I am using graylog 2.5 in my environment. I want to implement a below framework in my graylog. Someone, please confirm how to do this. I am new in the graylog application.

C1fApp
Megatron
Cymon
VirusTotal

Thanks.


(Tess) #2

I’m very interested in what your possible use-case is here. It looks like you’re wanting to gather threat intelligence into Graylog. But what exactly is it that you need? Are you looking to correlate things like IP addresses to known bad actors? Or do you want their daily information feeds? Etc.


(Prakash A) #3

Yes, i want to gather threat intelligence to graylog, need daily information feeds.


(Tess) #4

Well, not to be too blunt, but here’s your best place to start:


(Prakash A) #5

Dear @Totally_Not_A_Robot , Thank you for your quick reply :+1:. Here I have to mention Threat intelligence feed configuration.

I have a created a Pipeline called “Threat Intelligence Lookup” and added streams and timeline as per the TI feed and added a new rule called “Threat Intelligence Lookups: EventID”.

To search for EventID matches, I run the following query: EventID_threat_indicated: true as per the https://www.graylog.org/post/integrating-threat-intelligence-with-graylog URL.

But in search logs are not displaying. What I have missed. Is anything I have done wrong. Here I have an attached a pipeline and rules snapshot for your reference.


(Tess) #6

Aha! So you are using the built-in TI plugin. That’s an important detail; based on your opening post it looked like you wanted to use those four companies’ feeds and was asking how to get their data in.

Now, was the plugin configured with an API key for AlienVault OTX? Because it seems that this is currently the only TI feed used by the plugin. Have you verified that this connection works and that the plugin can actually retrieve data from AlienVault?


(Prakash A) #7

Dear @Totally_Not_A_Robot, I want to implement those as well. but i am trying default plugins for TI feed reference configuration. OTX API key has been added the same.


(Tess) #8

Then one extra test you can do is see whether the API connection actually works from the Graylog box. Can you use curl or wget from the command line to interact with the feed? This will allow you to troubleshoot the network connection from the Graylog host to the OTX API. You’ll verify whether proxies/firewalls/etc are opened up correctly.


(Ben van Staveren) #9

Actually here’s another test, for shits and giggles. Empty the rule body where you do the threat lookup, and add another stage to the pipeline after the stage where the now-empty threat lookup rule lives. See if that blank stage has any throughput. If it doesn’t, no messages carry an EventID field at the time they enter the pipeline, which would also explain the lack of threat detection.

Just as a random late night 2 cent option.


(Jan Doberstein) #10

For debugging we have the debug function:

http://docs.graylog.org/en/2.5/pages/pipelines/functions.html#debug


(Prakash A) #11

@benvanstaveren, I tried the same what you suggested, i am getting throughput from the pipeline.


(Ben van Staveren) #12

Okay, then I’m totally out of ideas, because threat_intel_lookup_* always returns a true/false so in your case there has to be an EventID_threat_indicated field present if you restore the pipeline function to actually do the set_fields(…) part.

Only thing I can think of is that you’re not doing the search correctly but that seems unlikely :slight_smile: