tips:ioc_harvestor
This is an old revision of the document!
Table of Contents
IOC Harvestor
This article helps with providing guidelines for installing the app IOC AHarvestor in Trisul Network Analytics.
To create a single new Trisul Resource Group stream containing INTEL items harvested from various other streams.
This app creates a new Resource Stream called Intel Harvest with GUID “{EE1C9F46-0542-4A7E-4C6A-55E2C4689419}”. You can just listen to the resorces on this stream and write code to do something with them. See 'intel_print.lua' which just prints them to the terminal.
1. Installing
You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > Ioc Harvestor
2. Saving to backend Database
- By default ,the App stores the harvested candidate IOC to the backend Hub database. This can take up significant disk space on busy networks.
- To prevent saving this stream, create a config file at /usr/local/var/lib/trisulprobe0/domain0/probe0/contextX/config/trisulnsm_ioc-harvestor.lua and enter the following,
return { SaveHarvestedItems=false, }
3. Sample Output
.. INDICATOR:DNSIP = 173.194.38.153 INDICATOR:DNSCNAME = pagead46.l.doubleclick.net INDICATOR:NAME = googleads.g.doubleclick.net INDICATOR:DNSIP6 = 404:6800:4003:805::1019 INDICATOR:DNSCNAME = pagead46.l.doubleclick.net INDICATOR:NAME = tacoda.at.atwola.com INDICATOR:DNSIP = 207.200.81.13 INDICATOR:DNSCNAME = rtx-at.tacoda.akadns.net INDICATOR:NAME = ums.adtech.de INDICATOR:NAME = rt.legolas-media.com INDICATOR:NAME = ums.adtech.de INDICATOR:DNSIP = 195.93.85.166
tips/ioc_harvestor.1585657447.txt.gz · Last modified: 2020/03/31 17:54 by navaneeth