Threat Intel Setup

Good afternoon all

I’m looking for some guidance or maybe some reference material on how to complete the task at hand.

What I’m trying to do is utilize the threat intel back (already installed) so that traffic from our endpoints is being analyzed against this and then creating alerts as needed based on matches.

Hello && Welcome

Under System/Content Pack I assume that were talk about Threat Intel Plugin Shipped Content and you clicked the button Install? If this is correct did you enable it under System/Configurations?

Thank you for the reply. I’ve started following the above and creating pipelines.

However I’m not seeing anything hit the pipeline stage as I expect, nor am I seeing the fields added to the messages so I’m not sure what’s missing.

It would be helpful if you could post more detail - There is a whole unknown section of how the data coming in is getting to the pipeline (input, stream rules, example messages) as well as posting the rule code (using the </> forum tool to make it readable and pretty as well as obfuscating anything of a secure nature)

You can use the debug() function in the rule and watch for the results in your Graylog log as well… though we need to make sure that the messages are hitting the rule first…

Watch the logs with something like: tail -f /var/log/graylog-server/server.log

For sure! Let me provide some additional detail to the current setup.

Right now the input is coming in from a TCP syslog collector inside of Graylog. This pipeline is based on the “all messages” stream for testing before I start tweaking it back.

Here is an example rule code from the pipeline

rule "Threat Intelligence Lookups: dst_ip"

when



 has_field("dst_ip")



then



 set_fields(threat_intel_lookup_ip(to_string($message.dst_ip), "dst_ip"));



end

the rule in the screenshot is "OTX Lookup: src_addr " while the rule you posted is “Threat Intelligence Lookups: dst_ip” Maybe you just renamed it?

How are you breaking out the dst_ip (or src_addr, whichever one you are doing) Is that something syslog is doing for you or do you have an extractor or a separate rule/pipeline? I can assume that field shows up when looking at detail on the message?

I am not currently using the plugin so I don’t have a lot of experience with it…

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.