Threat hunting/cifv4 and logstash http filter

hi, i have no idea if this is a good plan or not.. but i'm giving it a good try.
There is a nice open source threat intelligence platform called cifv4 ( , it has a rest api to query for various things. I'd like to run ip addresses from my IDS through it to determine if any of the outside/external communications are known bad addresses.

i can reach and perform queries via curl, here is an example:
curl -X GET "" -H "accept: application/json" -H "Authorization: 51d48b312a1fbf6237c885c95244e1a921fda49ee751bbc3614c43c6021dXXXXXXX"

and it works.. it returns a nice JSON full of info..

from what i understand i should be able to set up a logstash .conf to query using the http filter..

filter {
if [source][address] {
http {
url => ""
query => { "q" => "%{[source][address]}" }
verb => POST
headers => { "Authorization" => "51d48b312a1fbf6237c885c95244e1a921fda49ee751bbc3614c43c6XXXXXXXX" }
target_body => "[source][body]"
target_headers => "[source][header]"
} #end http
} #end if
} #end filter

this doesnt seem to work.. it doesnt send the IP address in %[source][address]
i'm pretty new to all of this.. any suggestions would be greatly appreciated

Thank you

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.