The Cyber Threat Intelligence (CTI) of SEKOIA.IO includes indicators that are crafted for the special needs of detecting and qualifying both generic and advanced cyber threats. This article shows a simple solution to use the CTI of SEKOIA.IO to enrich a log management infrastructure operated with Graylog.

The described solution adds a threat qualification flag to events that are somehow related to an infrastructure, a tool, an exploit, a malware or a campaign used by a cyber threat as part of their malicious activities. To achieve this, we plug the indicators of SEKOIA.IO in Graylog by means of a Lookup Table continuously fueled with the CTI of SEKOIA.

TLDR; the french-reader can also refer to the original version of this documentation published by the Computer Emergency Response Team (CERT) of Crédit Mutuel ARKEA on their blog

Banner of our cyber kill chain analysis

Create a SEKOIA.IO Lookup Table

SEKOIA.IO IPv4 Adaptater
Once configured, an adapter can easily be tested by simply providing an IP address in the “Test lookup” panel.
Lookup SEKOIA.IO CTI

One should note that SEKOIA.IO also provides various enrichments for data such as email addresses, urls, domain names, filenames and ipv6 addresses. This example focuses on IPv4 addresses but the interested reader can refer to the documentation of SEKOIA.IO for an exhaustive list.

To rationalize the number of queries on SEKOIA.IO APIs and improve the performances of your instance, we recommend to attach a caching strategy to the lookup table. This strategy can be configured to keep in the memory of the graylog node, the last thousand SEKOIA.IO API responses for one hour (3600sec).

  • Title: SEKOIA.IO CACHE
  • Description: Cache SEKOIA.IO
  • Name: sekoia-io-cache
  • Maximum entries: 1000
  • Expire after access: 3600 seconds
Cache SEKOIA.IO
The last configuration step denotes the creation of the lookup table component that ties together the previously created data adapter and cache. The created lookup table can later be used by extractors, converters, pipeline functions and decorators of Graylog.
 

  • Title: SEKOIA.IO CTI
  • Description: Lookup SEKOIA.IO CTI
  • Name: sekoia-io-lookup
  • Data Adapter: sekoia-io-ipv4-adapter
  • Cache: sekoia-io-cache
SEKOIA.IO CTI
In this Section we detailed how to create an optimized lookup table for IPv4 addresses. The following section describes the use of this lookup table as part of an event processing pipeline.

Leverage the Lookup Table

Extractor-way

SEKOIA.IO CTI Extractor

Pipeline Rules-way

Pipeline Rule using lookup function

The final step consists in configuring one of our pipeline stages with the Pipeline Rule.

Conclusion

Let’s Get Started!

Curious about trying our platform? Want to discuss the future of cybersecurity operations, Cyber Threat Intelligence, detection and automation with our experts?