hi, i have no idea if this is a good plan or not.. but i'm giving it a good try.
There is a nice open source threat intelligence platform called cifv4 (https://csirtgadgets.com/collective-intelligence-framework/) , it has a rest api to query for various things. I'd like to run ip addresses from my IDS through it to determine if any of the outside/external communications are known bad addresses.
i can reach and perform queries via curl, here is an example:
curl -X GET "http://gamma.stc.local:5000/indicators/?q=8.8.8.8" -H "accept: application/json" -H "Authorization: 51d48b312a1fbf6237c885c95244e1a921fda49ee751bbc3614c43c6021dXXXXXXX"
and it works.. it returns a nice JSON full of info..
from what i understand i should be able to set up a logstash .conf to query using the http filter..
--1012-enrich-cifv4.conf--
filter {
if [source][address] {
http {
url => "http://gamma.stc.local:5000/indicators/"
query => { "q" => "%{[source][address]}" }
verb => POST
headers => { "Authorization" => "51d48b312a1fbf6237c885c95244e1a921fda49ee751bbc3614c43c6XXXXXXXX" }
target_body => "[source][body]"
target_headers => "[source][header]"
} #end http
} #end if
} #end filter
this doesnt seem to work.. it doesnt send the IP address in %[source][address]
i'm pretty new to all of this.. any suggestions would be greatly appreciated
Thank you