Add more Lookup providers and file hashes

Graylog2 / graylog-plugin-threatintel

Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases

Other

148 stars 19 forks source link

Add more Lookup providers and file hashes #25

Open ion-storm opened 7 years ago

ion-storm commented 7 years ago

Please add the following IOC's and lookups, I'd like to use Sysmon Hash checks as well: IPv4 MD5 SHA1 SHA256 CVE FQDN (EFQDN is for Internet FQDN, IFQDN is for internal domains)

ThreatMiner for IPv4, FQDN, MD5, SHA1 and SHA2 lookups. Alienvault OTX for IPv4, MD5, SHA1 and SHA2 lookups. IBM X-Force Exchange for IPv4, EFQDN lookups. VirusTotal for MD5, SHA1, SHA2 and FQDN lookups. Cymon.io for IPv4 lookups. CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups. PassiveTotal for FQDN Whois lookups MISP for MD5 and SHA2 (If you want more submit an issue in this github) Censys.io for IPv4 lookups Shodan for IPV4 lookups

ion-storm commented 7 years ago

Basically same features as threat pinch implemented into Graylog threat Intel. Also I'd like to add malware domains lists as well

lennartkoopmann commented 7 years ago

We'll start looking into this really soon!

kurobeats commented 7 years ago

Emerging threats pulls from hereL

http://www.openbl.org/lists/base.txt

fulldanad commented 6 years ago

Hi Gents,

Sounds good to have a generic lookup feature for log enrichment in particular for otx, virustotal and misp hashes. 👍

Find below some additionnal free sources I'd like to use to enrich my logs with :

http://rules.emergingthreats.net/blockrules http://rules.emergingthreats.net/fwrules http://hailataxii.com https://www.iblocklist.com/lists http://mirror1.malwaredomains.com https://www.phishtank.com/ https://isc.sans.edu/suspicious_domains.html

Cheers

ion-storm commented 6 years ago

I have Graylog parse and add an MD5 field for each file executed on windows systems, can we add MD5 file checking:

OTX already support MD5/SHA256/imphash lookup: example: https://otx.alienvault.com/indicator/file/db349b97c37d22f5ea1d1841e3c89eb4

API Examples: https://otx.alienvault.com/static/external_api.html#panel_api_v1_indicators_file__file_hash___section_

skear commented 5 years ago

VirusTotal file hash lookups would be very useful for use in combination with messages received from sysmon.

dio99 commented 4 years ago

how is this going ? will it be added soon ?

MP-blue commented 4 years ago

The current options of TOR, abuse.ch (seems to be discontinued: https://ransomwaretracker.abuse.ch/) and Spamhaus are just not enough these days. AFAIK AlienVault's OTX isn't part of the Threat Intel Plugin any longer.

Additional integrations are badly needed.