Threat Intel module

Hi all,

Need one help. I tried to integrate threat intel module in 7.12 version. Post integration I am able to view dashboard for Abuse URL and Abuse malware but not getting results for MISP, Otx, alienvault..Did the required configurations also..Can someone please help

Hello @sbathla :slight_smile:

Did you manage to resolve this? Just wanted to check if its only the dashboard that is not working, do you have any data from those sources if you look in the discover page?

Hello @sbathla.

We're glad that you're giving the module a try.

I think I might know what your issue with the MISP, OTX, and Anomli feeds is.

MISP
You need to have your own MISP server. MISP is a third-party, open-source, platform. You can check them out here https://www.misp-project.org/. Once you have MISP set up, you can simply update the threatintel.yml to include your server location and API key.

OTX
AlienVault Open Threat eXchange (OTX) is a cloud threat feed provided by the AlienVault team. Unlike Abuse Malware and Abuse URL, this requires an API key that you can get simply by signing up for the service over at https://otx.alienvault.com. Once you have your API key, you can enter it in threatintel.yml.

Anomali
There isn't anything that you need to sign up for with Anomali, but their API credentials are commented out by default. You can simply go into threatintel.yml and remove the # before var.username: guest and var.password: guest.

Of note, Anomali also has multiple feeds that you can subscribe to. We provided a default one, but there other others with various amounts of indicators.

To get those feeds, you can query Limo to get the feed IDs with:

curl -u guest:guest https://limo.anomali.com/api/v1/taxii2/feeds/collections/ | jq

{
  "collections": [
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "107",
      "title": "Phish Tank"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "135",
      "title": "Abuse.ch Ransomware IPs"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "136",
      "title": "Abuse.ch Ransomware Domains"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "150",
      "title": "DShield Scanning IPs"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "200",
      "title": "Malware Domain List - Hotlist"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "209",
      "title": "Blutmagie TOR Nodes"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "31",
      "title": "Emerging Threats C&C Server"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "313",
      "title": "DT COVID-19"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "33",
      "title": "Lehigh Malwaredomains"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "41",
      "title": "CyberCrime"
    },
    {
      "can_read": true,
      "can_write": false,
      "description": "",
      "id": "68",
      "title": "Emerging Threats - Compromised"
    }
  ]
}

Taking the ID number, you can update the URL ID to target different feeds.

Example

var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/135/objects?match[type]=indicator

Of note, only 1 var.url can be used at a time.