This repository contains various content packs I have created and want to share with the community.
- Filename:
geoip-lokup.json
- Description: Check source and destination IPs for geolocation and set associated fields
- Requirements: MaxMind GeoLite2 City Database
- Parameters:
maxmind_db
(path to maxmind db on Graylog server; default:/etc/graylog/server/GeoLite2-City.mmdb
Content Pack Entities
- Lookup adapter, cache, and table for getting MaxMind data.
dst_ip RFC1918
andsrc_ip RFC1918
pipeline rules (must come before the geoip lookup rules but after normalizations and should be edited to use whatever you normalize the destination and source IP fields to)src_ip geoip lookup
anddst_ip geoip lookup
pipeline rules (should be edited to use whatever you normalize the destination and source IP fields to)
- Filename:
volatility-analysis.json
- Description: See: https://medium.com/@megansroddie/volatility-analysis-with-graylog-ffb7048c4e76
- Requirements: See: https://github.com/megan201296/vol2graylog
- Parameters: N/A
Recommendations
- I recommend creating a "Volatility" stream and then creating a pipeline rule to redirect any messages from your Volatility input to that stream.
Content Pack Entities
- Pipeline with various rules to normalize and enrich Volatility results.
- Filename:
xfe-ip-risk-score.json
- Description: Performs an API lookup against an IP and returns the risk score calculated by X-Force Exchange
- Requirements: X-Force Exchange IP Key
- Parameters: auth_header
Creating the auth_header value
- Run
echo "${XFE_APIKEY?}:${XFE_PASSWD?}" | base64
where${XFE_APIKEY?}
is your XFE API key and${XFE_PASSWD?}
is your XFE API password - Prepend
Basic
(note the space) to the value returned above
Limits
- Free tier allows for "non-commercial usage of up to 5,000 records per month for querying across the range of threat information from X-Force Exchange".
- "IBM reserves the right to disable any account deemed abusing our system. Abuse-related activity includes, but is not limited to sharing accounts, bulk registrations, abuse of API calls, suspicious/malicious query parameters and accessing restricted resources. Additionally, users are expected to follow our limiting practices as outlined in the HTTP responses. To avoid limiting errors, no more than 3,000 requests should be made in a one minute period to the X-Force Exchange API."
- Expand to include more XFE values/data (IP risk score reason, hash lookup, etc.)
- Create examples of pipeline rules leveraging this lookup table.