Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

automatically generate Zeek intelligence indicators from STIX/TAXII #74

Closed
mmguero opened this issue Feb 1, 2022 · 1 comment
Closed

automatically generate Zeek intelligence indicators from STIX/TAXII #74

mmguero opened this issue Feb 1, 2022 · 1 comment
Assignees
@mmguero
Labels
enhancement New feature or request zeek Relating to Malcolm's use of Zeek

Comments

@mmguero
Copy link
Collaborator

mmguero commented Feb 1, 2022
edited
Loading

In conjunction with Malcolm's use of Zeek Intelligence framework:

... on startup Malcolm will automatically generate a Zeek intelligence file for all Structured Threat Information Expression (STIX™) v2.0/v2.1 JSON files found under ./zeek/intel/STIX.

Additionally, if a special text file named .stix_input.txt is found in ./zeek/intel/STIX, that file will be read and processed as a list of TAXII™ 2.0/2.1 feeds, one per line, according to the following format:

taxii|version|discovery_url|collection_name|username|password

For example:

taxii|2.0|http://example.org/taxii/|IP Blocklist|guest|guest
taxii|2.1|https://example.com/taxii/api2/|URL Blocklist
…

Malcolm will attempt to query the TAXII feed(s) for indicator STIX objects and convert them to the Zeek intelligence format as described above. There are publicly available TAXII 2.x-compatible services provided by a number of organizations including Anomali Labs and MITRE, or you may choose from several open-source offerings to roll your own TAXII 2 server (e.g., oasis-open/cti-taxii-server, freetaxii/server, StephenOTT/TAXII-Server, etc.).

Note that only indicators of cyber-observable objects matched with the equals (=) comparison operator against a single value can be expressed as Zeek intelligence items. More complex STIX indicators will be silently ignored.
@mmguero mmguero added enhancement New feature or request zeek Relating to Malcolm's use of Zeek labels Feb 1, 2022
@mmguero mmguero self-assigned this Feb 1, 2022
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 1, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
cb385b8
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 1, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
593ba2c
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 1, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
714eefc
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 1, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
2ac272b
@mmguero mmguero changed the title automatically convert STIX to Zeek intelligence files automatically generate Zeek intelligence indicators from STIX/TAXII Feb 2, 2022
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 2, 2022
@mmguero
more work on specifying zeek intel sources idaholab#74
2ec13e2
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 2, 2022
@mmguero
allow specifying intel timeout via environment variable, idaholab#74
269fce7
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 2, 2022
@mmguero
allow specifying intel refresh via cron expression environment variab…
c35eab0 
…le, idaholab#74
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
fe15e08
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
2d307f8
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
16670fd
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
for idaholab#74, auto-gen Zeek intel files based on STIX
68f653a
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
more work on specifying zeek intel sources idaholab#74
08a12d2
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
allow specifying intel timeout via environment variable, idaholab#74
b9052bc
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
allow specifying intel refresh via cron expression environment variab…
1ac1766 
…le, idaholab#74
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
for #74, auto-gen Zeek intel files based on STIX
42ab791
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
for #74, auto-gen Zeek intel files based on STIX
1b4ac0e
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
for #74, auto-gen Zeek intel files based on STIX
089fe95
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
for #74, auto-gen Zeek intel files based on STIX
0ae1e4f
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
more work on specifying zeek intel sources #74
1e1329a
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
allow specifying intel timeout via environment variable, #74
843ed25
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
allow specifying intel refresh via cron expression environment variab…
6fb2fa1 
…le, #74
@mmguero
Copy link
Collaborator Author

mmguero commented Feb 7, 2022

Working in v5.2.4

@mmguero mmguero closed this as completed Feb 7, 2022
@mmguero mmguero mentioned this issue Feb 7, 2022
Merged
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 7, 2022
@mmguero
Merge pull request #188 from cisagov/v524_merge
db122ba 
v5.2.4 development

- New features
  - idaholab#74 (automatically generate Zeek intelligence indicators from STIX/TAXII)

- Improvements
  - group MAC addresses and OUI (vendors) into `related.mac` and `related.oui` for easier searching across all fields
  - improvements to default anomaly detectors

- Bug fixes
  - Fix idaholab#75 (OpenSearch Dashboards loads slowly without network connectivity)
  - Fix idaholab#76 (directory creation race condition starting up zeek on sensor which may cause zeekctl to fail)
@mmguero mmguero mentioned this issue Feb 7, 2022
Closed
@mmguero mmguero added this to Malcolm Oct 14, 2024
@mmguero mmguero moved this to Released in Malcolm Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
enhancement New feature or request zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Released
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero