• Stars
    star
    145
  • Rank 254,144 (Top 6 %)
  • Language
    Java
  • License
    Other
  • Created about 8 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases

Threat Intelligence Plugin for Graylog

NOTE: This plugin has been merged into the server now. Please do not open PRs/issues here!

Github Downloads GitHub Release Build Status

Required Graylog version: 2.4.0

This Plugin use external sources to enrich your data - read the documentation before you run this in production

This plugin adds Processing Pipeline functions to enrich log messages with threat intelligence data.

Supported data feeds

Example

let src_addr_intel = threat_intel_lookup_ip(to_string($message.src_addr), "src_addr");
set_fields(src_addr_intel);

Please read the usage instructions below for more information and specific guides.

Installation

Since Graylog Version 2.4.0 this plugin is already included in the Graylog server installation package as default plugin.

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Usage

Example Processing Pipeline rules are following:

Global/combined threat feed lookup

This is the recommended way to use this plugin. The threat_intel_lookup_* function will run an indicator like an IP address or domain name against all enabled threat intel sources and return a combined result. (Except OTX lookups)

let src_addr_intel = threat_intel_lookup_ip(to_string($message.src_addr), "src_addr");
set_fields(src_addr_intel);

let dns_question_intel = threat_intel_lookup_domain(to_string($message.dns_question), "dns_question");
set_fields(dns_question_intel);

This will lead to the fields src_addr_threat_indicated:true|false and dns_question_threat_indicated:true|false being added to the processed message. It will also add fields like testing_threat_indicated_abusech_ransomware:true (Abuse.ch Ransomware tracker OSINT) to indicate threat intel sources returned matches.

Add a second pipeline step that adds the field threat_indicated:true if either of the above fields was true to allow easier queries for all messages that indicated any kind of threat:

rule "inflate threat intel results"
when
  to_bool($message.src_threat_indicated) || to_bool($message.dst_threat_indicated)
then
  set_field("threat_indicated", true);
end

WHOIS lookups

You can look up WHOIS information about IP addresses. The method will return the registered owner and country code. The lookup results are heavily cached and invalidated after 12 hours or when the graylog-server process restarts.

let whois_intel = whois_lookup_ip(to_string($message.src_addr), "src_addr")
set_fields(whois_intel);

Note: The plugin will use the ARIN WHOIS servers for the first lookup because they have the best redirect to other registries in case they are not responsible for the block of the requested IP address. Graylog will follow the redirect to other registries like RIPE-NCC, AFRINI, APNIC or LACNIC. Future versions will support initial lookups in other registries, but for now, you might experience longer latencies if your Graylog cluster is not located in North America.

OTX

let intel = otx_lookup_ip(to_string($message.src_addr));
// let intel = otx_lookup_domain(to_string($message.dns_question))

set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);

Tor exit nodes

You'll need at least Java 8 (u101) to make this work. The exit node information is hosted on a Tor website that uses Let's Encrypt for SSL and only Java 8 (u101 or newer) supports it.

  let intel = tor_lookup(to_string($message.src_addr));
  set_field("src_addr_is_tor_exit_node", intel.threat_indicated);

Spamhaus DROP/EDROP

  let intel = spamhaus_lookup_ip(to_string($message.src_addr));
  set_field("threat_indicated", intel.threat_indicated);

Abuse.ch Ransomware tracker

  let intel = abusech_ransom_lookup_domain(to_string($message.dns_domain));
  // let intel = abusech_ransom_lookup_ip(to_string($message.src_addr));
  set_field("request_domain_is_ransomware", intel.threat_indicated);

Note that you can combine these and change field names as you wish.

Performance considerations

  • All lookups will automatically skip processing IPv4 addresses from private networks as defined in RFC 1918. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
    • Note that this plugin also ships a new function in_private_net(ip_address) : Boolean for any manual lookups of the same kind.
  • You can vastly improve performance by connecting pipelines that make use of the threat intelligence rules only to streams that contain data you want to run the lookups on.

More Repositories

1

graylog2-server

Free and open log management
Java
6,877
star
2

graylog-docker

Official Graylog Docker image
Shell
320
star
3

docker-compose

A set of Docker Compose files that allow you to quickly spin up a Graylog instance for testing or demo purposes.
Shell
281
star
4

collector-sidecar

Manage log collectors through Graylog
Go
254
star
5

graylog2-images

Ready to run machine images
Shell
234
star
6

graylog-ansible-role

Ansible role which installs and configures Graylog
Jinja
208
star
7

documentation

Archived Graylog documentation. See https://docs.graylog.org/ for the new documentation.
Python
147
star
8

graylog-plugin-aws

Several bundled Graylog plugins to integrate with different AWS services like CloudTrail and FlowLogs.
Java
90
star
9

graylog-guide-syslog-linux

How to send syslog from Linux systems into Graylog
77
star
10

graylog2-cookbook

Chef recipes to deploy Graylog
Ruby
49
star
11

graylog-plugin-auth-sso

SSO support for Graylog through trusted HTTP headers set by load balancers or authentication proxies
Java
48
star
12

graylog-guide-ubiquity-unify-ap

How to receive and parse Ubiquity Unify Access Point logs with Graylog
44
star
13

graylog-plugin-netflow

[DEPRECATED] Graylog NetFlow plugin
Java
37
star
14

gelfclient

GELF client library for Java based on Netty 4
Java
34
star
15

graylog-guide-rails

Guide about how to get Ruby On Rails logs into Graylog
26
star
16

graylog-guide-snort

How to send structured Snort IDS alert logs into Graylog
25
star
17

graylog-project

Packaging/development helper for Graylog
Shell
22
star
18

JadConfig

Annotation-driven configuration library for the Java programming language
Java
22
star
19

graylog-project-cli

CLI tool for graylog-project
Go
21
star
20

graylog-guide-syslog-kafka

This Guide will give you little help on using Graylog with Kafka Input to get Syslog Data
21
star
21

graylog-plugin-pipeline-processor

[DEPRECATED] Graylog Pipeline Message Processor Plugins
Java
20
star
22

graylog-plugin-beats

[DEPRECATED] Elastic Beats Input plugin for Graylog
Java
19
star
23

fpm-recipes

Graylog package build recipes
Ruby
18
star
24

graylog-guide-windows-eventlog

How to send Windows EventLogs into Graylog
18
star
25

graylog-plugin-collector

Collector plugin for Graylog
JavaScript
14
star
26

omnibus-graylog2

[DEPRECATED] Omnibus package for Graylog
Ruby
13
star
27

graylog-s3-lambda

An AWS Lambda function that reads logs from S3 and sends them to Graylog
Java
12
star
28

graylog-plugin-integrations

A collection of open source Graylog integrations that will be released together.
Java
12
star
29

graylog-guide-ossec

How to write OSSEC alerts into Graylog
11
star
30

graylog-plugin-sample

Sample plugin for Graylog 2.0 including web ui parts.
Java
11
star
31

graylog-plugin-cef

[DEPRECATED] CEF (Common Event Format) input plugin for Graylog
Java
10
star
32

graylog-guide-syslog-amqp

How to use send Syslog messages via AMQP to Graylog
9
star
33

puppet-graylog

Install and configure a Graylog system via Puppet
Puppet
9
star
34

frontend-documentation

Graylog frontend documentation and component gallery
Shell
6
star
35

graylog-plugin-map-widget

[DEPRECATED] Map widget for Graylog
Java
6
star
36

graylog-guide-docker

[DEPRECATED] Guide about how to get Docker logs into Graylog
5
star
37

graylog-schema

Repository for Graylog Schema files and Documentation
Python
2
star
38

graylog-plugin-anonymous-usage-statistics

[DEPRECATED] Plugin to collect anonymous usage statistics of Graylog
Java
2
star
39

build-environments

Environments for automated builds and tests
Dockerfile
2
star
40

graylog-training-data

Houses public facing Graylog Academy Training data for course specific purposes
Shell
1
star
41

illuminate-documentation

HTML
1
star
42

graylog-guide-chef

Chef handler to send events to Graylog via GELF HTTP
Ruby
1
star
43

sawmill-sd

sd design system
TypeScript
1
star
44

graylog-plugin-enterprise-integration

[DEPRECATED] Basic integration with Graylog Enterprise
Java
1
star
45

ctf-handbook

HTML
1
star