I have the pipeline working, I can see the my Graylog server making the requests externally to what I’m assuming is trying to lookup the IP address, but I’ve attempted to trigger an alert manually by making a request to a known tor node but my value isn’t changing to true. From what I could tell from the source code, it appeared the plugin was simply just looking up the IP address and returning true/false based on if the IP address existed in the remote database.
Another thing I noticed, if you look at the values of a message that has been processed by the new threat intel modules are when you select a message and view all the fields, the values that are returned look like you would expect “False”. If you perform a sort by that value, the values return as “0”. Will that have an effect when setting a condition when trying to alert for a value such as “True”, as I’m assuming the value for “True” would return a “1” if it was sorted?
EDIT: Just to add as well, I guess it’s possible the IP address I’m using could potentially not be identified as a tor node in the list we are querying but I tried a few and I would assume at least one would hit.
I’m extracting the Destination IP address from my Sysmon, I should probably change the rule to trigger when eventid==3 but at the moment I’m just trying to get it to work. This is one of the pipelines I’m testing out which is a simple TOR lookup.
rule "TOR"
when
has_field("DestinationIp")
then
let intel = tor_lookup(to_string($message.DestinationIp));
set_field("tor_node", intel.threat_indicated);
end
