dsiem icon indicating copy to clipboard operation
dsiem copied to clipboard

Published 20 hours ago verified publisher icon defenxor

Lacking documentation on Using Intel Feeds

Open EdgeSync opened this issue 4 years ago • 1 comments

Hi DSIEM people,

Not really an issue per-se, but I'm struggling to understand how you actually implement Intel Feeds for DSIEM.

From what I can gather, you are using Wise for Moloch to collect intel from various sources. But what I'm having trouble understanding is how you grab the normalized event, and then check the data in that event against a piece of intel.

I have read https://github.com/defenxor/dsiem/blob/master/docs/directive_and_alarm.md and https://github.com/defenxor/dsiem/blob/master/docs/ti_vuln_plugins.md but no clearer really.

Would you have any pointers to assist?

Thanks

EdgeSync avatar Feb 28 '20 20:02 EdgeSync

Hi, basically the intel feed plugin you implement will receive all public IP addresses from the source or destination field of the alarm. This behavior is fixed for now so you cant use other fields from the alarm, or any field of the normalized events.

The above is also evident from the Checker interface signature.

mmta avatar Aug 23 '20 08:08 mmta