Table of contents
The Cyber Threat Intelligence (CTI) of SEKOIA.IO includes indicators that are crafted for the special needs of detecting and qualifying both generic and advanced cyber threats. This article shows a simple solution to use the CTI of SEKOIA.IO to enrich a log management infrastructure operated with Graylog.
The described solution adds a threat qualification flag to events that are somehow related to an infrastructure, a tool, an exploit, a malware or a campaign used by a cyber threat as part of their malicious activities. To achieve this, we plug the indicators of SEKOIA.IO in Graylog by means of a Lookup Table continuously fueled with the CTI of SEKOIA.
TLDR; the french-reader can also refer to the original version of this documentation published by the Computer Emergency Response Team (CERT) of Crédit Mutuel ARKEA on their blog
Invasion of Ukraine – what implications in cyberspace?
Create a SEKOIA.IO Lookup Table
Lookup tables in Graylog can be used to lookup the values of messages against an external source of information. A simple example is to use a static CSV file to map IP addresses to host names. The creation of a lookup table requires the configuration of a Data adapter, a cache and finally the creation of the lookup table in itself to tie all these components together.
The data adapter is the component that produces the enrichment given one field value. As part of this use case, we want the adapter to query the SEKOIA.IO Threat Intelligence REST API. To achieve this, Graylog provides the “HTTP JSONPath” Data Adapter, that can be configured to retrieve the category of the threat that can represent an IPv4. To be functional, the Adapter requires a SEKOIA.IO API Key with the proper permissions to query the CTI of SEKOIA. One can refer to the documentation of SEKOIA.IO to retrieve it.
- Title: SEKOIA.IO IPv4 Adapter
- Description: SEKOIA.IO Adapter for IPv4
- Name: sekoia-io-ipv4-adapter
- Lookup URL: https://api.sekoia.io/v2/inthreat/indicators?type=ipv4-addr&value=${key}
- Single value JSONPath: $.items[0].indicator_types[0]
- HTTP Headers:
- Name: Authorization
- Value: Bearer YOUR-SEKOIAIO-API-KEY
Once configured, an adapter can easily be tested by simply providing an IP address in the “Test lookup” panel.
One should note that SEKOIA.IO also provides various enrichments for data such as email addresses, urls, domain names, filenames and ipv6 addresses. This example focuses on IPv4 addresses but the interested reader can refer to the documentation of SEKOIA.IO for an exhaustive list.
To rationalize the number of queries on SEKOIA.IO APIs and improve the performances of your instance, we recommend to attach a caching strategy to the lookup table. This strategy can be configured to keep in the memory of the graylog node, the last thousand SEKOIA.IO API responses for one hour (3600sec).
- Title: SEKOIA.IO CACHE
- Description: Cache SEKOIA.IO
- Name: sekoia-io-cache
- Maximum entries: 1000
- Expire after access: 3600 seconds
The last configuration step denotes the creation of the lookup table component that ties together the previously created data adapter and cache. The created lookup table can later be used by extractors, converters, pipeline functions and decorators of Graylog.
- Title: SEKOIA.IO CTI
- Description: Lookup SEKOIA.IO CTI
- Name: sekoia-io-lookup
- Data Adapter: sekoia-io-ipv4-adapter
- Cache: sekoia-io-cache
In this Section we detailed how to create an optimized lookup table for IPv4 addresses. The following section describes the use of this lookup table as part of an event processing pipeline.
Leverage the Lookup Table
Graylog offers two different solutions to leverage an enrichment lookup table: the extractors and the pipeline rules. The former can be configured at the input level of Graylog to extract the value of some specific fields to be later enriched against a lookup table. The later solution is configured as part of a processing pipeline that might already exist in an instance.
We recommend to use the extractor approach if inputs have very distinct formats with specific field names to be enriched. On the other hand, graylog instances with various homogeneous input data sources can profit from a single enrichment pipeline.
Extractor-way
An input in Graylog accepts the configuration of extractors to lookup the value of a message field in a lookup table and write the result into a new field or overwrite an existing field.
As part of this example, one can simply configure an extractor for the fields of its message that hosts an IPv4 address. As illustrated in the figure below, the extractor can store the results of the lookup in a new field of events named “indicator_type”.
Pipeline Rules-way
A Graylog pipeline includes rules and can be connected to one or more streams to tie together the multiple processing steps we want to apply to a stream of messages. Pipeline rules can be used to enrich a stream of events by leveraging our new lookup table.
Hence, a Pipeline Rule can use the lookup() function to lookup the string value of `dst_ip` field against a lookup table and store the result in a new field named `indicator_type`.
The final step consists in configuring one of our pipeline stages with the Pipeline Rule.
Conclusion
In this article, we described the use of SEKOIA.IO as an enricher in a Graylog infrastructure. This integration brings a lot of value to a log management with the automatic enrichment of logs to help security operators protect their assets. The great things with platforms like Graylog are their capacity to interact at scale with various data sources. Thank you CERT Crédit Mutuel ARKEA for the use case and Graylog for your amazing technology ❤️
On our blog, you can read also:
- XDR detection engineering at scale: crafting detection rules for SecOps efficiency
- What is cyber threat intelligence (CTI)?
- Walking on APT31 infrastructure footprints
- Log4Shell: the defender’s worst nightmare ?
- The story of a ransomware builder: from Thanos to Spook and beyond (Part 1)
- Unveiling of a large resilient infrastructure distributing information stealers
- Command & Control infrastructures tracked by SEKOIA.IO in 2022
- Following NoName057(16) DDoSia Project’s Targets