graylog-plugin-threatintel icon indicating copy to clipboard operation
graylog-plugin-threatintel copied to clipboard
verified publisher icon Graylog2

OTX lookup result doesn't use validation informations from the OTX response

Open jrvn opened this issue 7 years ago • 2 comments

As-Is: OTXLookupResult checks in the result only non-zero count of pulses. But some of the results have validation field, where can be found information about whitelisting of IP/Domain (not malicious, even if found in pulses). This causes return of the false positive result into Graylog.

To-Be: OTXLookupResult should check the occurence of validation key first and if it is false, then continue with checking the non-zero count of pulses.

Example of the result from OTX API, indicator IPv4, IP=8.8.8.8

...
"validation": [
      {
        "message": "suspiciously short IP (len: 7)",
        "name": "Suspicious IP format / Possible version number",
        "source": "suspicious"
      },
      {
        "message": "contained in 8.8.8.8",
        "name": "Whitelisted IP",
        "source": "whitelist"
      }
    ],
...

Example: for inspiration, here is code in Python OTX-Python-SDK example, function def ip()

jrvn avatar May 10 '18 11:05 jrvn

This would be great, as I see a lot of false positives due to this lack of validation. For now, we are manually whitelisting these in the pipeline but it can be quite time consuming.

koalaeagle avatar Apr 19 '21 04:04 koalaeagle

It would be nice to have some configuration options to somewhat filter the results. So, for example, it would be possible to check fields such as the whitelisting option without modifying the code. Or at the very least return more otx fields, something like "otx_whitelisted" and/or "otx_falsepositive" so that they can be applied in searches.

borjam avatar Jun 15 '21 15:06 borjam