Setting up Threat Intelligence To Use OTX in 2.4.x

HanSolo71 · January 4, 2018, 8:46pm

I am really excited to setup OTX support in the new 2.4.x version of Graylog.

I am attempting to follow the usage guide but am completely lost on what I need to do.

Is there another guide for a basic Threat Intelligence Plugin setup?

jochen · January 4, 2018, 10:20pm

No.

Where exactly are you struggling?

HanSolo71 · January 5, 2018, 1:18pm

To be honest, at the first steps. I have created a new pipeline, with the following rules, based on the following type of message.

<189>date=2018-01-05 time=08:14:29 devname=FGT_300D_Primary devid=FGT3HD12345678 logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” logtime=1515158069 srcip=8.31.233.148 srcport=51459 srcintf=“port2” srcintfrole=“wan” dstip=64.141.174.150 dstport=25 dstintf=“port4” dstintfrole=“lan” poluuid=“1060c282-48f7-51e5-0efc-d4e2ac9bbe11” sessionid=108218712 proto=6 action=“close” policyid=23 policytype=“policy” service=“SMTP” dstcountry=“United States” srccountry=“United States” trandisp=“dnat” tranip=10.0.1.252 tranport=25 appid=27559 app=“SMTPS” appcat=“Email” apprisk=“medium” applist=“default” appact=“detected” duration=5 sentbyte=500749 rcvdbyte=14071 sentpkt=367 rcvdpkt=245 utmaction=“allow” countapp=2 dstdevtype=“Router/NAT Device” masterdstmac=“12:34:b1:b7:e4:00” dstmac=“12:34:b1:b7:e4:00” dstserver=0

rule “Test”

when
has_field(“srcip”)
then

let src_addr_intel = threat_intel_lookup_ip(to_string($message.srcip), “srcip”);
set_fields(src_addr_intel);

let dns_question_intel = threat_intel_lookup_domain(to_string($message.dns_question), “dns_question”);
set_fields(dns_question_intel);

end

And yet nothing is being processed

Arvo · January 10, 2018, 8:35am

Check System-Configurations - Message Processors Configuration
If your srcip and dns_question fields are made by extractor (like regex or grok), then probably your Pipeline Processor is before Message Filter Chain, as it was the problem cause in my case.
Threat Intel started to work only after I put Pipeline Processor after Message Filter Chain.
RTFM sometimes helps

HanSolo71 · January 10, 2018, 5:03pm

Arvo, that was exactly the issue I was having. You rock man, thank you so much.

EDIT:

After adding OTX Lookups using the following code I am not getting the “threat_ids” or “threat_names” but am getting “threat indicated”.

Here is my code.

rule "OTX Lookup"
when
    has_field("srcip")
then
let intel = otx_lookup_ip(to_string($message.srcip));
//let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);
end

system · January 25, 2018, 12:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Open Threat Exchange Plugin Slow Graylog Add-ons	1	618	August 27, 2020
Threat Intelligence Throughput in Graylog Graylog Central (peer support)	2	389	May 22, 2020
Mikrotik Log and email notification alert Graylog Central (peer support) alert	3	1611	January 18, 2022
Alert Notification Graylog Central (peer support) pipeline-rules , route-to-streampl	5	1621	October 8, 2019
Graylog Email Alert Graylog Central (peer support)	1	298	October 11, 2018

Setting up Threat Intelligence To Use OTX in 2.4.x

Related Topics