Skip to content

This package extends the Intel package to log more fields

License

Unknown, BSD-3-Clause licenses found

Licenses found

Unknown
LICENSE.md
BSD-3-Clause
COPYING
Notifications You must be signed in to change notification settings

corelight/ExtendIntel

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ExtendIntel

This package extends the Intel package to log more fields

If the intel file contains the following fields, the data will automatically be added to the intel.log.

  • threat_score
  • verdict
  • verdict_source
  • confidence
  • desc
  • lastseen
  • firstseen
  • url
  • reports
  • campaigns
  • associated
  • category

Intel log

Without this package, the standard intel.log would have content like the following:

{
  "@path":"intel",
  "@sensor":"Lab-AP200",
  "@timestamp":"2023-01-06T05:13:38.841292Z",
  "ts":"2023-01-06T05:13:38.841292Z",
  "uid":"CNh51N3dSRfMZG1Pt4",
  "id.orig_h":"195.133.40.86",
  "id.orig_p":64910,
  "id.resp_h":"192.168.13.20",
  "id.resp_p":80,
  "seen.indicator":"77.247.181.165",
  "seen.indicator_type":"Intel::ADDR",
  "seen.where":"Conn::IN_ORIG",
  "matched": [
    "Intel::ADDR"
  ],
  "sources": [
    "blocklist_de",
    "cinsscore_ci_badguys",
    "blocklist_net_ua",
    "Mandiant",
    "dshield_block"
  ],
}

If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following:

{
  "confidence": [99],
  "threat_score": [100],
  "verdict": ["malicious"],
  "verdict_source": ["analystVerdict"],
  "desc": ["Mandiant Threat Intellegence"]
  "lastseen": ["2023-01-03T16:10:54Z"],
  "firstseen": ["2021-03-20T10:10:01Z"],
  "url": ["https://advantage.mandiant.com/"],
  "reports": ["ID:23-00000242, Type:News Analysis"],
  "campaigns": [],
  "associated": [
    "ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
  ],
  "category": [
    "exploit",
    "exploit/vuln-scanning, exploit"
  ],
}

About

This package extends the Intel package to log more fields

Resources

License

Unknown, BSD-3-Clause licenses found

Licenses found

Unknown
LICENSE.md
BSD-3-Clause
COPYING

Stars

Watchers

Forks

Packages

No packages published

Languages