I installed Graylog 2.4.3 version in ubuntu and I am started understanding how the threat intelligence plugin works. I read the documentation and this plugin add the pipeline function to enrich the log messages with threat intelligence data.
As I wanted to see how this plugin identifies the threat data, so for that I have pushed some sample IIS logs to graylog using collector-sidecar.
Below is the rule I have created for the pipeline,
rule "Threat_Intelligence_Lookups"
when
has_field("SourceAddress")
then
let src_addr_threatintel = threat_intel_lookup_ip(to_string($message.SourceAddress), "SourceAddress");
set_fields(src_addr_threatintel);
end
Also I have the read the above blog where it mentioned
The lookup will be performed on those messages that contain the fields “domain”, “src_addr”, or “dst_addr”. For each message that matches, a new field will be added to the message, “X_threat_indicated”. (X represents the name of the field we compared against)
Yes after the message got routed to the pipeline I can able to see new field is added to the message
SourceAddress_threat_indicated:false
But here I am not understand I haven’t added any lookup for the messages then how the threat_intel_lookup_ip will able to identify the threat data and also in the documentation I couldn’t find the related informations.
One more doubt…
Let’ say I have enabled service Tor exit nodes in the threat intelligence lookup configuration and I have added the below rule in the pipeline,
rule "tor_lookup"
when
has_field("clientip")
then
let intel = tor_lookup(to_string($message.clientip));
set_field("src_addr_is_tor_exit_node", intel.threat_indicated);
end
I can see in Lookup tables by default it has Tor Exit Node List lookup table configured. After the messages were routed to the pipeline I always get this new field and value as false, src_addr_is_tor_exit_node:false
Why the value is false always?
Does that mean the IP is not in the tor node list? By that means there is no threat in the data.
