graylog-plugin-threatintel icon indicating copy to clipboard operation
graylog-plugin-threatintel copied to clipboard

Published 20 hours ago verified publisher icon Graylog2

Add more Lookup providers and file hashes

Open ion-storm opened this issue 8 years ago • 8 comments
trafficstars

Please add the following IOC's and lookups, I'd like to use Sysmon Hash checks as well: IPv4 MD5 SHA1 SHA256 CVE FQDN (EFQDN is for Internet FQDN, IFQDN is for internal domains)

ThreatMiner for IPv4, FQDN, MD5, SHA1 and SHA2 lookups. Alienvault OTX for IPv4, MD5, SHA1 and SHA2 lookups. IBM X-Force Exchange for IPv4, EFQDN lookups. VirusTotal for MD5, SHA1, SHA2 and FQDN lookups. Cymon.io for IPv4 lookups. CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups. PassiveTotal for FQDN Whois lookups MISP for MD5 and SHA2 (If you want more submit an issue in this github) Censys.io for IPv4 lookups Shodan for IPV4 lookups

ion-storm avatar Mar 02 '17 03:03 ion-storm

Basically same features as threat pinch implemented into Graylog threat Intel. Also I'd like to add malware domains lists as well

ion-storm avatar Mar 02 '17 04:03 ion-storm

We'll start looking into this really soon!

lennartkoopmann avatar Mar 07 '17 00:03 lennartkoopmann

Emerging threats pulls from hereL

http://www.openbl.org/lists/base.txt

kurobeats avatar Mar 21 '17 06:03 kurobeats

Hi Gents,

Sounds good to have a generic lookup feature for log enrichment in particular for otx, virustotal and misp hashes. 👍

Find below some additionnal free sources I'd like to use to enrich my logs with :

http://rules.emergingthreats.net/blockrules http://rules.emergingthreats.net/fwrules http://hailataxii.com https://www.iblocklist.com/lists http://mirror1.malwaredomains.com https://www.phishtank.com/ https://isc.sans.edu/suspicious_domains.html

Cheers

fulldanad avatar Mar 15 '18 21:03 fulldanad

I have Graylog parse and add an MD5 field for each file executed on windows systems, can we add MD5 file checking:

OTX already support MD5/SHA256/imphash lookup: example: https://otx.alienvault.com/indicator/file/db349b97c37d22f5ea1d1841e3c89eb4

API Examples: https://otx.alienvault.com/static/external_api.html#panel_api_v1_indicators_file__file_hash___section_

ion-storm avatar Aug 13 '18 15:08 ion-storm

VirusTotal file hash lookups would be very useful for use in combination with messages received from sysmon.

skear avatar Nov 16 '18 15:11 skear

how is this going ? will it be added soon ?

dio99 avatar Jun 11 '20 07:06 dio99

The current options of TOR, abuse.ch (seems to be discontinued: https://ransomwaretracker.abuse.ch/) and Spamhaus are just not enough these days. AFAIK AlienVault's OTX isn't part of the Threat Intel Plugin any longer.

Additional integrations are badly needed.

MP-blue avatar Jul 30 '20 11:07 MP-blue