ExtendIntel
This package extends the Intel package to log more fields
If the intel file contains the following fields, the data will automatically be added to the intel.log.
- threat_score
- verdict
- verdict_source
- confidence
- desc
- lastseen
- firstseen
- url
- reports
- campaigns
- associated
- category
Intel log
Without this package, the standard intel.log would have content like the following:
{
"@path":"intel",
"@sensor":"Lab-AP200",
"@timestamp":"2023-01-06T05:13:38.841292Z",
"ts":"2023-01-06T05:13:38.841292Z",
"uid":"CNh51N3dSRfMZG1Pt4",
"id.orig_h":"195.133.40.86",
"id.orig_p":64910,
"id.resp_h":"192.168.13.20",
"id.resp_p":80,
"seen.indicator":"77.247.181.165",
"seen.indicator_type":"Intel::ADDR",
"seen.where":"Conn::IN_ORIG",
"matched": [
"Intel::ADDR"
],
"sources": [
"blocklist_de",
"cinsscore_ci_badguys",
"blocklist_net_ua",
"Mandiant",
"dshield_block"
],
}
If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following:
{
"confidence": [99],
"threat_score": [100],
"verdict": ["malicious"],
"verdict_source": ["analystVerdict"],
"desc": ["Mandiant Threat Intellegence"]
"lastseen": ["2023-01-03T16:10:54Z"],
"firstseen": ["2021-03-20T10:10:01Z"],
"url": ["https://advantage.mandiant.com/"],
"reports": ["ID:23-00000242, Type:News Analysis"],
"campaigns": [],
"associated": [
"ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
],
"category": [
"exploit",
"exploit/vuln-scanning, exploit"
],
}