Setting up Threat Intelligence To Use OTX in 2.4.x


#1

I am really excited to setup OTX support in the new 2.4.x version of Graylog.

I am attempting to follow the usage guide but am completely lost on what I need to do.

Is there another guide for a basic Threat Intelligence Plugin setup?


(Jochen) #2

No.

Where exactly are you struggling?


#3

To be honest, at the first steps. I have created a new pipeline, with the following rules, based on the following type of message.

<189>date=2018-01-05 time=08:14:29 devname=FGT_300D_Primary devid=FGT3HD12345678 logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” logtime=1515158069 srcip=8.31.233.148 srcport=51459 srcintf=“port2” srcintfrole=“wan” dstip=64.141.174.150 dstport=25 dstintf=“port4” dstintfrole=“lan” poluuid=“1060c282-48f7-51e5-0efc-d4e2ac9bbe11” sessionid=108218712 proto=6 action=“close” policyid=23 policytype=“policy” service=“SMTP” dstcountry=“United States” srccountry=“United States” trandisp=“dnat” tranip=10.0.1.252 tranport=25 appid=27559 app=“SMTPS” appcat=“Email” apprisk=“medium” applist=“default” appact=“detected” duration=5 sentbyte=500749 rcvdbyte=14071 sentpkt=367 rcvdpkt=245 utmaction=“allow” countapp=2 dstdevtype=“Router/NAT Device” masterdstmac=“12:34:b1:b7:e4:00” dstmac=“12:34:b1:b7:e4:00” dstserver=0

rule “Test”

when
has_field(“srcip”)
then

let src_addr_intel = threat_intel_lookup_ip(to_string($message.srcip), “srcip”);
set_fields(src_addr_intel);

let dns_question_intel = threat_intel_lookup_domain(to_string($message.dns_question), “dns_question”);
set_fields(dns_question_intel);

end

And yet nothing is being processed


#4

Check System-Configurations - Message Processors Configuration
If your srcip and dns_question fields are made by extractor (like regex or grok), then probably your Pipeline Processor is before Message Filter Chain, as it was the problem cause in my case.
Threat Intel started to work only after I put Pipeline Processor after Message Filter Chain.
RTFM sometimes helps :slight_smile:


#5

Arvo, that was exactly the issue I was having. You rock man, thank you so much.

EDIT:

After adding OTX Lookups using the following code I am not getting the “threat_ids” or “threat_names” but am getting “threat indicated”.

Here is my code.

rule "OTX Lookup"
when
    has_field("srcip")
then
let intel = otx_lookup_ip(to_string($message.srcip));
//let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);
end

(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.