Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingesting AlientVault OTX TI feeds to HELK #305

Open
wants to merge 48 commits into
base: master
Choose a base branch
from
Open

Ingesting AlientVault OTX TI feeds to HELK #305

wants to merge 48 commits into from

Conversation

weev3
Copy link

@weev3 weev3 commented Jul 29, 2019

What is this PR for?
Able to get more detection for your organization.
What type of PR is it?
[Feature Request]

How should this be tested?

Download and configuration file for integrating OTX Data with HELK

Install OTX python module and Download TI feeds

Install OTX python module with pip install OTXv2 (in your local server, not in docker). For more information please go, https://github.com/AlienVault-OTX/OTX-Python-SDK.

Place helkOTX.py to /HELK/docker/helk-logstash/enrichments/cti/ folder.(in your local server, not in docker). Since HELK already mounted with your local system on helk-logstash/enrichments/cti folder.

Run helkOTX.py with python helkOTX.py.

After running the python script, you will find these CSV files.

  • otx_domain_.csv
  • otx_ipv4_.csv
  • otx_md5_.csv
  • otx_sha1_.csv
  • otx_sha256_.csv

Install pandas

pip install pandas

Configuring SYSMON logstash file

Replace 1531-winevent-sysmon-filter.conf in /HELK/docker/helk-logstash/pipeline/ folder.

After replacing 1531-winevent-sysmon-filter.conf file restart the helk-logstash with docker restart helk-logstash.
Then refresh the index fields in Kibana (Management -> Index pattern -> refresh) .

Then browse some ips or domains which is included in otx_domain_.csv and otx_ipv4_.csv file. After that you can search using ti.DestinationIP.otx:* or ti.Domain.otx:* .

Configuration Details

To fetch destination IP that is event id 3 with Alienvault OTX, TI feeds.

      translate {
     field => "[dst_ip_addr]"
      destination => "[ti][DestinationIP][otx]"
      dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_ipv4_.csv'
     }

To fetch destination domain that is event id 22 with Alienvault OTX, TI feeds.

   if [dns_query_name] { 
     translate {
          field => "[dns_query_name]"
          destination => "[ti][Domain][otx]"
          dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/test/otx_domain_.csv' 
         }
   }

To fetch file checksum(SHA256) with Alienvault OTX, TI feeds.


   if [hash_sha256] {
     translate {
	  field => "[hash_sha256]"
	  destination => "[ti][SHA256][otx]"
	  dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_sha256_.csv' 
	 }

To fetch file checksum(MD5) with Alienvault OTX, TI feeds.


   if [hash_md5] {
translate {
          field => "[hash_md5]"
          destination => "[ti][MD5][otx]"
          dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_md5_.csv' 
         }

**Questions:**
* Do the licenses files need update? No
* Are there breaking changes for older versions? No
* Does this needs documentation? Yes

weev3 added 30 commits July 26, 2019 16:36
Create HuntingQuery.md
e04e0cc
Update HuntingQuery.md
7dc1b9c
Update HuntingQuery.md
da8dc27
Create readme.md
f061c8b
Add files via upload
8014ecf
Add files via upload
9c63afb
Update readme.md
f4adc72
Update readme.md
c0acef0
Update readme.md
7c0f234
Update readme.md
a9bc593
Update readme.md
f5629d4
Update readme.md
58c8695
Create images.md
b735f4e
Add files via upload
6e95f1d
Update readme.md
027eebd
Update readme.md
e22fad0
Update readme.md
e5fbf87
Update readme.md
b92e06a
Update readme.md
93bb13b
Add files via upload
48f1a1a
Update readme.md
06ab435
Update readme.md
46f1a08
Update readme.md
4813152
Update 1531-winevent-sysmon-filter.conf
c65b52c
Update readme.md
dc1df23
Update HuntingQuery.md
93f98e8
Update HuntingQuery.md
0a28227
Update HuntingQuery.md
93c4624
Update HuntingQuery.md
5c1a523
Update HuntingQuery.md
83debc0
@neu5ron neu5ron added enhancement needs Wiki doc issue cannot be closed unless there is documentation added to the wiki related to the issue pipeline update update config labels Aug 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement needs Wiki doc issue cannot be closed unless there is documentation added to the wiki related to the issue pipeline update update config
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@weev3 @neu5ron