Threat Intel Plugin

I have the pipeline working, I can see the my Graylog server making the requests externally to what I’m assuming is trying to lookup the IP address, but I’ve attempted to trigger an alert manually by making a request to a known tor node but my value isn’t changing to true. From what I could tell from the source code, it appeared the plugin was simply just looking up the IP address and returning true/false based on if the IP address existed in the remote database.

Another thing I noticed, if you look at the values of a message that has been processed by the new threat intel modules are when you select a message and view all the fields, the values that are returned look like you would expect “False”. If you perform a sort by that value, the values return as “0”. Will that have an effect when setting a condition when trying to alert for a value such as “True”, as I’m assuming the value for “True” would return a “1” if it was sorted?

EDIT: Just to add as well, I guess it’s possible the IP address I’m using could potentially not be identified as a tor node in the list we are querying but I tried a few and I would assume at least one would hit.

Please provide all relevant details about your setup, your pipeline rules, and some example messages.

These are stored as boolean values in Elasticsearch. See Boolean datatype | Elasticsearch Reference [5.6] | Elastic for details.

I’m extracting the Destination IP address from my Sysmon, I should probably change the rule to trigger when eventid==3 but at the moment I’m just trying to get it to work. This is one of the pipelines I’m testing out which is a simple TOR lookup.

rule "TOR"
let intel = tor_lookup(to_string($message.DestinationIp));
set_field("tor_node", intel.threat_indicated);

intel.threat_indicated is a boolean value.

Also see my previous post in this topic:

Thanks Jochen, any idea as to why it wouldn’t be returning true though on known TOR Lookup? It appears I’m getting responses back from the lookup.

Related issue on GitHub:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.