Enrich Your Graylog with SEKOIA.IO

The Cyber Threat Intelligence (CTI) of SEKOIA.IO includes indicators that are crafted for the special needs of detecting and qualifying both generic and advanced cyber threats. This article shows a simple solution to use the CTI of SEKOIA.IO to enrich a log management infrastructure operated with Graylog.

The described solution adds a threat qualification flag to events that are somehow related to an infrastructure, a tool, an exploit, a malware or a campaign used by a cyber threat as part of their malicious activities. To achieve this, we plug the indicators of SEKOIA.IO in Graylog by means of a Lookup Table continuously fueled with the CTI of SEKOIA.

TLDR; the french-reader can also refer to the original version of this documentation published by the Computer Emergency Response Team (CERT) of Crédit Mutuel ARKEA on their blog

Banner of our cyber kill chain analysis

Create a SEKOIA.IO Lookup Table

SEKOIA.IO IPv4 Adaptater
Once configured, an adapter can easily be tested by simply providing an IP address in the “Test lookup” panel.
Lookup SEKOIA.IO CTI

One should note that SEKOIA.IO also provides various enrichments for data such as email addresses, urls, domain names, filenames and ipv6 addresses. This example focuses on IPv4 addresses but the interested reader can refer to the documentation of SEKOIA.IO for an exhaustive list.

To rationalize the number of queries on SEKOIA.IO APIs and improve the performances of your instance, we recommend to attach a caching strategy to the lookup table. This strategy can be configured to keep in the memory of the graylog node, the last thousand SEKOIA.IO API responses for one hour (3600sec).

  • Title: SEKOIA.IO CACHE
  • Description: Cache SEKOIA.IO
  • Name: sekoia-io-cache
  • Maximum entries: 1000
  • Expire after access: 3600 seconds
Cache SEKOIA.IO
The last configuration step denotes the creation of the lookup table component that ties together the previously created data adapter and cache. The created lookup table can later be used by extractors, converters, pipeline functions and decorators of Graylog.
 

  • Title: SEKOIA.IO CTI
  • Description: Lookup SEKOIA.IO CTI
  • Name: sekoia-io-lookup
  • Data Adapter: sekoia-io-ipv4-adapter
  • Cache: sekoia-io-cache
SEKOIA.IO CTI
In this Section we detailed how to create an optimized lookup table for IPv4 addresses. The following section describes the use of this lookup table as part of an event processing pipeline.

Leverage the Lookup Table

Extractor-way

SEKOIA.IO CTI Extractor

Pipeline Rules-way

Pipeline Rule using lookup function

The final step consists in configuring one of our pipeline stages with the Pipeline Rule.

Conclusion

Chat with our team!

Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cyber security project in your organization? Make an appointment and meet us!

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ? Vous voulez découvrir nos produits de XDR et de CTI ? Vous avez un projet de cybersécurité dans votre organisation ? Prenez rendez-vous et rencontrons-nous !