tips:ioc_harvestor
Table of Contents
IOC Harvestor
This article helps with providing guidelines for installing the app IOC AHarvestor in Trisul Network Analytics.
To create a single new Trisul Resource Group stream containing INTEL items harvested from various other streams.
- This app creates a new Resource Stream called Intel Harvest with GUID “{EE1C9F46-0542-4A7E-4C6A-55E2C4689419}”.
- You can just listen to the resorces on this stream and write code to do something with them. See 'intel_print.lua' which just prints them to the terminal.
1. Installing
You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > Ioc Harvestor
2. Saving to backend Database
- By default ,the App stores the harvested candidate IOC to the backend Hub database. This can take up significant disk space on busy networks.
- To prevent saving this stream, create a config file at /usr/local/var/lib/trisulprobe0/domain0/probe0/contextX/config/trisulnsm_ioc-harvestor.lua and enter the following,
return { SaveHarvestedItems=false, }
3. Sample Output
.. INDICATOR:DNSIP = 173.194.38.153 INDICATOR:DNSCNAME = pagead46.l.doubleclick.net INDICATOR:NAME = googleads.g.doubleclick.net INDICATOR:DNSIP6 = 404:6800:4003:805::1019 INDICATOR:DNSCNAME = pagead46.l.doubleclick.net INDICATOR:NAME = tacoda.at.atwola.com INDICATOR:DNSIP = 207.200.81.13 INDICATOR:DNSCNAME = rtx-at.tacoda.akadns.net INDICATOR:NAME = ums.adtech.de INDICATOR:NAME = rt.legolas-media.com INDICATOR:NAME = ums.adtech.de INDICATOR:DNSIP = 195.93.85.166
tips/ioc_harvestor.txt · Last modified: 2020/03/31 19:04 by navaneeth