Graylog Pipelines - Threat Indicators

Graylog by default provides an included plugin that allows you to check against threat feeds to determine if an IP or an domain has been marked as malicious. This can be expanded on into different areas.

On a fresh install you need to install the content packs in order for the threat intelligence plugin to work. Navigate to System -> Content Packs and click the Install button.

After a few minutes and a refresh of the page there will be a green button that indicates that they have been installed.

Pipelines allow you to modify incoming logs by adding fields, dropping the log and provide additional capabilities via functions. You can get to the pipeline system by going to System -> Pipeline.

Below is a rule that will take a log that has a field of winlogbeat_event_data_QueryName and query the content packs for any reports on it being malicious.

rule "Domain Name Threat Lookup"
when
  has_field("winlogbeat_event_data_QueryName")
then
  // Lets lookup the OTX data source for the query name.
  let intel = otx_lookup_domain(to_string($message.winlogbeat_event_data_QueryName));
  //Set the result. If it is flagged, there will be additional fields. We only care about true or false at this time. 
  set_field("otx_threat",intel.otx_threat_indicated);
   //Look up in the other data sources. 
   set_fields(threat_intel_lookup_domain(to_string($message.winlogbeat_event_data_QueryName), "domain"));
end

Add the above rule to a pipeline process. The image below shows an example of the pipeline process.

After finalizing the pipeline settings there will be additional fields in the DNS Stream. otx_threat and domain_threat_indicated. Next step would be creating alerts that perform an action on possible threats.