Open ion-storm opened 7 years ago
Basically same features as threat pinch implemented into Graylog threat Intel. Also I'd like to add malware domains lists as well
We'll start looking into this really soon!
Emerging threats pulls from hereL
Hi Gents,
Sounds good to have a generic lookup feature for log enrichment in particular for otx, virustotal and misp hashes. 👍
Find below some additionnal free sources I'd like to use to enrich my logs with :
http://rules.emergingthreats.net/blockrules http://rules.emergingthreats.net/fwrules http://hailataxii.com https://www.iblocklist.com/lists http://mirror1.malwaredomains.com https://www.phishtank.com/ https://isc.sans.edu/suspicious_domains.html
Cheers
I have Graylog parse and add an MD5 field for each file executed on windows systems, can we add MD5 file checking:
OTX already support MD5/SHA256/imphash lookup: example: https://otx.alienvault.com/indicator/file/db349b97c37d22f5ea1d1841e3c89eb4
API Examples: https://otx.alienvault.com/static/external_api.html#panel_api_v1_indicators_file__file_hash___section_
VirusTotal file hash lookups would be very useful for use in combination with messages received from sysmon.
how is this going ? will it be added soon ?
The current options of TOR, abuse.ch (seems to be discontinued: https://ransomwaretracker.abuse.ch/) and Spamhaus are just not enough these days. AFAIK AlienVault's OTX isn't part of the Threat Intel Plugin any longer.
Additional integrations are badly needed.
Please add the following IOC's and lookups, I'd like to use Sysmon Hash checks as well: IPv4 MD5 SHA1 SHA256 CVE FQDN (EFQDN is for Internet FQDN, IFQDN is for internal domains)
ThreatMiner for IPv4, FQDN, MD5, SHA1 and SHA2 lookups. Alienvault OTX for IPv4, MD5, SHA1 and SHA2 lookups. IBM X-Force Exchange for IPv4, EFQDN lookups. VirusTotal for MD5, SHA1, SHA2 and FQDN lookups. Cymon.io for IPv4 lookups. CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups. PassiveTotal for FQDN Whois lookups MISP for MD5 and SHA2 (If you want more submit an issue in this github) Censys.io for IPv4 lookups Shodan for IPV4 lookups