extend intel.log with additional fields using corelight/ExtendIntel #502

mmguero · 2024-11-19T21:51:08Z

corelight/ExtendIntel

We could be getting more useful information from our zeek intelligence matches, and this plugin can help us do that

add plugin to list of plugins to install
add new fields to intel.log parsing
see if there are any mutations or normalizations or time field conversions that need to be done for the new fields
as much as possible, rename all possible fields to be their ECS names
add any remaining fields not covered by ECS to the template and config.ini and the allFields array for the value actions for Arkime
see if there's anything else we need to do in https://github.com/idaholab/Malcolm/blob/main/shared/bin/zeek_threat_feed_utils.py to make sure those new fields get populated (see also the zeek docs)
update the intel dashboard if needed

mmguero added enhancement New feature or request external Depends on a bug or feature external to this project zeek Relating to Malcolm's use of Zeek labels Nov 19, 2024

mmguero added this to the z.staging milestone Nov 19, 2024

mmguero added this to Malcolm Nov 19, 2024

mmguero moved this to Todo (develop) in Malcolm Nov 19, 2024

mmguero added intel Related to integration with threat intel feeds logstash Relating to Malcolm's use of Logstash arkime Relating to Malcolm's use of Arkime dashboards Relating to Malcolm's OpenSearch Dashboards interface labels Nov 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

extend intel.log with additional fields using corelight/ExtendIntel #502

extend intel.log with additional fields using corelight/ExtendIntel #502

mmguero commented Nov 19, 2024

extend intel.log with additional fields using corelight/ExtendIntel #502

extend intel.log with additional fields using corelight/ExtendIntel #502

Comments

mmguero commented Nov 19, 2024