How does Wazuh integrates with AlienVault Open Threat Exchange?
562 views
Skip to first unread message
Jorge Martins
Jan 30, 2019, 6:38:05 AM1/30/19
to Wazuh mailing list
How does Wazuh integrates with AlienVault Open Threat Exchange?
Can't find anything on the documentation.
Thank you!
Jeremy Phillips
Jan 30, 2019, 7:57:25 AM1/30/19
to Jorge Martins, Wazuh mailing list
Hi Jorge,
The Wazuh team wrote up a blog article on using IP reputation lists here - https://wazuh.com/blog/cdb-lists/ .
Jeremy
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9ba19747-b1f8-4a00-a7ad-c5713e7302d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jorge Martins
Jan 30, 2019, 8:36:25 AM1/30/19
to Wazuh mailing list
Thanks!
Does it only integrates with IP reputation?
Is there any kind of integration with file hashes from the pulse system?
quarta-feira, 30 de Janeiro de 2019 às 12:57:25 UTC, Jeremy Phillips escreveu:
Hi Jorge,The Wazuh team wrote up a blog article on using IP reputation lists here - https://wazuh.com/blog/cdb-lists/ .Jeremy
On Wed, Jan 30, 2019 at 6:38 AM Jorge Martins <jorg...@gmail.com> wrote:
How does Wazuh integrates with AlienVault Open Threat Exchange?--Can't find anything on the documentation.Thank you!
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Jeremy Phillips
Jan 30, 2019, 9:30:00 AM1/30/19
to Jorge Martins, Wazuh mailing list
To my knowledge, the only file/hash integration that Wazuh currently supports is to VirusTotal - https://documentation.wazuh.com/3.x/user-manual/capabilities/virustotal-scan/integration.html . A new integration would need to be developed for OTX pulses, though it could be based off the existing VirusTotal integration.
Jeremy
On Wed, Jan 30, 2019 at 8:36 AM Jorge Martins <jorg...@gmail.com> wrote:
Thanks!Does it only integrates with IP reputation?Is there any kind of integration with file hashes from the pulse system?
quarta-feira, 30 de Janeiro de 2019 às 12:57:25 UTC, Jeremy Phillips escreveu:
Hi Jorge,The Wazuh team wrote up a blog article on using IP reputation lists here - https://wazuh.com/blog/cdb-lists/ .Jeremy
On Wed, Jan 30, 2019 at 6:38 AM Jorge Martins <jorg...@gmail.com> wrote:
How does Wazuh integrates with AlienVault Open Threat Exchange?--Can't find anything on the documentation.Thank you!
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9ba19747-b1f8-4a00-a7ad-c5713e7302d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd3881db-ca44-4ae7-ab6d-110de05bf1be%40googlegroups.com.
Russell Butturini
Jan 30, 2019, 9:33:51 AM1/30/19
to Jorge Martins, Wazuh mailing list
+1 for this. This is exactly what I've been working on this week and trying to hook up. It would be an excellent feature to add.
On Wed, Jan 30, 2019 at 7:36 AM Jorge Martins <jorg...@gmail.com> wrote:
Thanks!Does it only integrates with IP reputation?Is there any kind of integration with file hashes from the pulse system?
quarta-feira, 30 de Janeiro de 2019 às 12:57:25 UTC, Jeremy Phillips escreveu:
Hi Jorge,The Wazuh team wrote up a blog article on using IP reputation lists here - https://wazuh.com/blog/cdb-lists/ .Jeremy
On Wed, Jan 30, 2019 at 6:38 AM Jorge Martins <jorg...@gmail.com> wrote:
How does Wazuh integrates with AlienVault Open Threat Exchange?--Can't find anything on the documentation.Thank you!
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9ba19747-b1f8-4a00-a7ad-c5713e7302d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd3881db-ca44-4ae7-ab6d-110de05bf1be%40googlegroups.com.
Russell Butturini
Jan 30, 2019, 9:43:24 AM1/30/19
to Jorge Martins, Wazuh mailing list
Also, on the blog post, the Python script to convert the OTX IP list to CDB format is returning a 404 error message. As opposed to me having to rewrite from scratch, can the Wazuh team share this back out? :-)
Jeremy Phillips
Jan 30, 2019, 9:49:00 AM1/30/19
to Russell Butturini, Jorge Martins, Wazuh mailing list
You can find the script in Google's cache
https://webcache.googleusercontent.com/search?q=cache:6tA-budbx9kJ:https://wazuh.com/blog/cdb-lists/
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2Bms%2BuJtz6BUB4jss%2B26Q5QNRtYAS8ga7rRiJgNioA_M0LQ2KA%40mail.gmail.com.
Jeremy Phillips
Jan 30, 2019, 9:57:28 AM1/30/19
to Russell Butturini, Jorge Martins, Wazuh mailing list
I would suggest opening a Feature Request over at GitHub - https://github.com/wazuh/wazuh/issues
With VirusTotal having a rate limit for public/free queries, I could definitely see value in another integration like OTX. The biggest challenge, IMO, is not to port the existing VirusTotal code to query OTX, but to build in a feed download/cache mechanism. To be a "good citizen", the integration shouldn't be spamming the API with the same hash repeatedly, as the current VirusTotal integration will do (hit API for every FIM alert).
My .02
Jeremy
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2Bms%2BuLng8HyxQAvwdUh9B1yNmtzJVjJaHrgn8bSfFDjD9F4WA%40mail.gmail.com.
Jorge Martins
Feb 8, 2019, 10:38:49 AM2/8/19
to Wazuh mailing list
Created a feature request: https://github.com/wazuh/wazuh/issues/2545
If anyone is interested in this, please go there.
Thanks
quarta-feira, 30 de Janeiro de 2019 às 14:57:28 UTC, Jeremy Phillips escreveu:
I would suggest opening a Feature Request over at GitHub - https://github.com/wazuh/wazuh/issuesWith VirusTotal having a rate limit for public/free queries, I could definitely see value in another integration like OTX. The biggest challenge, IMO, is not to port the existing VirusTotal code to query OTX, but to build in a feed download/cache mechanism. To be a "good citizen", the integration shouldn't be spamming the API with the same hash repeatedly, as the current VirusTotal integration will do (hit API for every FIM alert).My .02Jeremy
On Wed, Jan 30, 2019 at 9:33 AM Russell Butturini <tcs...@gmail.com> wrote:
+1 for this. This is exactly what I've been working on this week and trying to hook up. It would be an excellent feature to add.
On Wed, Jan 30, 2019 at 7:36 AM Jorge Martins <jorg...@gmail.com> wrote:
Thanks!Does it only integrates with IP reputation?Is there any kind of integration with file hashes from the pulse system?
quarta-feira, 30 de Janeiro de 2019 às 12:57:25 UTC, Jeremy Phillips escreveu:
Hi Jorge,The Wazuh team wrote up a blog article on using IP reputation lists here - https://wazuh.com/blog/cdb-lists/ .Jeremy
On Wed, Jan 30, 2019 at 6:38 AM Jorge Martins <jorg...@gmail.com> wrote:
How does Wazuh integrates with AlienVault Open Threat Exchange?--Can't find anything on the documentation.Thank you!
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9ba19747-b1f8-4a00-a7ad-c5713e7302d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd3881db-ca44-4ae7-ab6d-110de05bf1be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages