Skip to content

Latest commit

 

History

History
247 lines (196 loc) · 10.1 KB

README.md

File metadata and controls

247 lines (196 loc) · 10.1 KB

SOCFortress Threat Intel Integration Awesome

Integrate your Wazuh-Manager or Graylog with the SOCFortress Threat Intel API to receive real-time threat intel.

MIT License LinkedIn your-own-soc-free-for-life-tier


Logo

SOCFortress Threat Intel API

💰 Make a Donation »

Table of Contents
  1. Threat Intel API
  2. Wazuh-Manager Integration
  3. Graylog Integration

Threat Intel API

The SOCFortress Threat Intel API allows end users to consume SOCFortress's public threat intel. The integration supports both Wazuh-Manager and Graylog.

API-KEY

The API key is required to authenticate with the API. To obtain an API key, please use SOCFortress Copilot.

Criteria

The API is currently only built for the following criteria:

  • Windows Sysmon - Follow our Wazuh Agent Install Guide to integrate Sysmon with your Windows endpoints.
  • SOCFortress Wazuh Detection Rules - Follow our Wazuh Rules Install Guide to integrate SOCFortress's Wazuh detection rules with your Wazuh-Manager.
  • IoC Type - The API currently supports IoC types of IP, Domain, and SHA256 Hash.
  • Valid API Key - Request via our website.

NOTE: API quotas are currently restricted to 500 requests per day. The API is currently in beta and is subject to change. Please contact us at helpdesk.socfortress.co if you have any questions or concerns.

Wazuh-Manager Integration

Not Recommended - Use Graylog Instead If You Can - Graylog's built in Caching will save your API quota

Follow the steps below to integrate the SOCFortress Threat Intel API with your Wazuh-Manager. NOT REQUIRED IF INTEGRATING WITH GRAYLOG

  1. Download the custom-socfortress.py file from the GitHub repository and copy it to /var/ossec/integrations of your Wazuh-Manager.
# Download the custom-socfortress.py file from the GitHub repository
curl -o custom-socfortress.py https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/main/custom-socfortress.py

# Copy the custom-socfortress.py file to /var/ossec/integrations
sudo cp custom-socfortress.py /var/ossec/integrations

# Change ownership to root:wazuh
sudo chown root:wazuh /var/ossec/integrations/custom-socfortress.py

# Set permissions to -rwxr-x---
sudo chmod 750 /var/ossec/integrations/custom-socfortress.py

# Clean up the downloaded file
rm custom-socfortress.py
  1. Edit the /var/ossec/etc/ossec.conf file and add the following lines to the ossec.conf file.
<integration>
    <name>custom-socfortress.py</name>
    <api_key>YOUR_API_KEY</api_key>
    <group>sysmon_event3,sysmon_event_22</group>
    <alert_format>json</alert_format>
 </integration>

NOTE: The group parameter is the name of the Wazuh rule groups that you want to integrate with the SOCFortress Threat Intel API. All of the below rule groups are supported:

  • sysmon_event3 - Network Connections
  • sysmon_event_22 - DNS Query
  • sysmon_evnt1 - Process Creation
  • sysmon_event6 - Remote Thread Creation
  • sysmon_event7 - Raw Access Read
  • sysmon_event_15 - File Creation Time

I only include the sysmon_event3 and sysmon_event_22 groups in the example above because the others will likely result in you hitting your API Limit quickly

The alert_format parameter is the format of the alert that you want to receive from the SOCFortress Threat Intel API. The api_key parameter is the API key that you received from SOCFortress.

  1. Restart the Wazuh-Manager service.
sudo systemctl restart wazuh-manager
  1. If you have any issues, set the integrator_debug to 2 in the /var/ossec/etc/local_internal_options.conf file and restart the Wazuh-Manager service.

    • Tail the ossec.log file and ensure you see valid responses from the SOCFortress Threat Intel API. tail -f /var/ossec/logs/ossec.log | grep socfortress
Logo

Ossec.log File

If working correctly, rule id 200983 will trigger when a positive IoC is found.

Logo

SOCFortress Threat Intel Fields

Graylog Integration

Follow the steps below to integrate the SOCFortress Threat Intel API with your Graylog instance.

  1. Create SOCFortress Threat Intel Data Adapter.
  • Title - SOCFortress Threat Intel
  • Description - SOCFortress Threat Intel
  • Name - socfortress-threat-intel
  • Lookup URL - https://intel.socfortress.co/search?value=${key}
  • Single value JSONPath - $.success
  • Multi value JSONPath - $.data
  • HTTP Headers-
    • Content-Type - application/json
    • module-version - 1.0
    • x-api-key - YOUR_API_KEY

NOTE: Verify connection to the SOCFortress Threat Intel API.

Logo

Graylog Response

  1. Create SOCFortress Threat Intel Cache.
  • Cache Type - Node-local, in-memory cache
  • Title - SOCFortress Threat Intel Cache
  • Description - SOCFortress Threat Intel Cache
  • Name - socfortress-threat-intel-cache
  • Maximum Entries - 1000
  • Expire after access - 1 hour
  1. Create SOCFortress Threat Intel Lookup Table.
  • Title - SOCFortress Threat Intel Lookup Table
  • Description - SOCFortress Threat Intel Lookup Table
  • Name - socfortress_threat_intel
  • Data Adapter - SOCFortress Threat Intel
  • Cache - SOCFortress Threat Intel Cache
  1. Create Pipeline Rules to invoke the SOCFortress Threat Intel Lookup Table.
    1. Sysmon Event 3 - Network Connections
    rule "WINDOWS SYSMON EVENT 3 - SOCFortress THREAT INTEL"
    when
        $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event3" AND $message.data_win_eventdata_destinationIp != "127.0.0.1" AND $message.data_win_eventdata_destinationIp != "255.255.255.255" AND $message.data_win_eventdata_destinationIp != "0.0.0.0" AND $message.data_win_eventdata_destinationIsIpv6 == "false" AND ! in_private_net(to_string($message.data_win_eventdata_destinationIp))
    then
        let ldata = lookup(
            lookup_table: "socfortress_threat_intel",
            key: to_string($message.data_win_eventdata_destinationIp)
        );
        set_fields(
            fields: ldata,
            prefix: "socfortress_"
            );
    end
    
    1. Sysmon Event 22 - DNS Query
    rule "WINDOWS SYSMON EVENT 22 - SOCFortress THREAT INTEL"
    when
        $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event_22"
    then
        let ldata = lookup(
            lookup_table: "socfortress_threat_intel",
            key: to_string($message.data_win_eventdata_queryName)
        );
        set_fields(
            fields: ldata,
            prefix: "socfortress_"
            );
    end
    

NOTE: I'll leave the other rule groups for you to create 😉


Contact

SOCFortress - LinkedIn - [email protected]

Let SOCFortress Take Your Open Source SIEM to the Next Level

Banner