I know that the specific plugin is outdated at GitHub, but the rule should be running since AlienVault OTX exists as Data Adapter. Set_field("threat_names", intel.otx_threat_names) Set_field("threat_ids", intel.otx_threat_ids) otxmisp imports Alienvault OTX pulses to a MISP instance. Set_field("threat_indicated", intel.otx_threat_indicated) with an IP/Domain from virusTotal (this modules require a VirusTotal private API key). let intel = otx_lookup_domain(to_string($message.dns_question)) The rule is : let intel = otx_lookup_ip(to_string($message.src_addr)) HTTPS Support Yes CORS Support Unknown Authentication Type apiKey Price Unknown. Once you sign, navigate to Settings page, and locate the OTX Key. If you don’t have an account, you can sign up from the home page. In your RocketCyber console, now navigate to Integrations / Threat Intel (Make sure you are logged in context at the root MSP level for this threat feed to be applied across your fleet of customers. I’ve browsed the web and found GitHub ( GitHub - Graylog2/graylog-plugin-threatintel: Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases) the rule for OTX, but it required further tweaking. Step 1 Obtain AlienVault OTX API key To obtain the API, you will need to login to the AlienVault OTX web site ( ). Register for a free Alienvault API Key at Navigate to API Integrationand copy Your OTX Key. The next step is to configure the rules for the pipeline but I cannot figure out what rules should I use in order to generate the fields on each message I receive. I have already created a Data Adapter (AlienVault OTX) by adding the API key, created a Cache and a lookup table. I am trying to configure AlienVault OTX to my Syslog servers for threat intel and I was wondering if you could provide me with some info regarding the pipeline rules.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |