Available on my GITHUB (https://github.com/breakandinspect/graylog) you will find two .sh (bash) files which download (threat_feed.sh) and convert (convert_feeds.sh) some OpenSource threat intelligence feeds for use with GL-2.3 Lookup Tables. I followed the directions on this page: http://docs.graylog.org/en/2.3/pages/lookuptables.html to setup the data as well as cache/adapters/tables. Everything is loaded, but what I was disappointed to discover is that there is no way to crossmatch/search against the Lookup table and generate an Alert… for instance, if you’re monitoring IDS/IPS information, or DNS information, etc the IPs/URLs could be bounced off the Lookup Tables to see if any known-bad, hot, threats etc have been white/black/grey listed for the IPs/URLs that appear in the logs. (this is low level SIEM functionality)
is there a chance that this sort of functionality will be available in the near future? this sort of ability could take graylog to the next level.
thanks - Break&Inspect.