====== IOC Harvestor ======

This article helps with providing guidelines for installing the app IOC AHarvestor in Trisul Network Analytics.

**
To create a single new Trisul Resource Group stream containing INTEL items harvested from various other streams.
**
{{:tips:ioc-harvestor-app.png?400|}}

  * This app creates a new Resource Stream called Intel Harvest with// GUID "{EE1C9F46-0542-4A7E-4C6A-55E2C4689419}"//.
  * You can just listen to the resorces on this stream and write code to do something with them. See 'intel_print.lua' which just prints them to the terminal.

===== 1. Installing =====

You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > Ioc Harvestor

{{:tips:iocharv-app-admin.png?600|}}

===== 2. Saving to backend Database =====

  * By default ,the App stores the harvested candidate IOC to the backend Hub database. This can take up significant disk space on busy networks. 
  * To prevent saving this stream, create a config file at ///usr/local/var/lib/trisulprobe0/domain0/probe0/contextX/config/trisulnsm_ioc-harvestor.lua// and enter the following,

<code>
return {
	SaveHarvestedItems=false,
} 
</code>

===== 3. Sample Output =====

<code>
..
INDICATOR:DNSIP = 173.194.38.153
INDICATOR:DNSCNAME = pagead46.l.doubleclick.net
INDICATOR:NAME = googleads.g.doubleclick.net
INDICATOR:DNSIP6 = 404:6800:4003:805::1019
INDICATOR:DNSCNAME = pagead46.l.doubleclick.net
INDICATOR:NAME = tacoda.at.atwola.com
INDICATOR:DNSIP = 207.200.81.13
INDICATOR:DNSCNAME = rtx-at.tacoda.akadns.net
INDICATOR:NAME = ums.adtech.de
INDICATOR:NAME = rt.legolas-media.com
INDICATOR:NAME = ums.adtech.de
INDICATOR:DNSIP = 195.93.85.166
</code>