IoC files for thread detecting
247 views
Skip to first unread message
Sat Slamkhan
Oct 4, 2023, 1:51:49 AM10/4/23
to Wazuh | Mailing List
Hello, I have a problem. Imagine I have a list of IoC of potential threads (their ips, hashes and domains(url)). And I want it to store this list(s) somewhere in Wazuh Server, so that if there will be an attack from one of those threads, it will send an alert.
Am I correct to say that I can solve my problem just by doing all that written there, and manually just add(type) my list(s) of IoC into those files (the mal-ip-list, mal-url-list, and mal-md5-list files) at the /var/ossec/etc/lists/ directory of the Wazuh server?
I have found this blog about "Building IoC files for threat intelligence with Wazuh XDR".
https://wazuh.com/blog/building-ioc-files-for-threat-intelligence-with-wazuh-xdr/
https://wazuh.com/blog/building-ioc-files-for-threat-intelligence-with-wazuh-xdr/
Am I correct to say that I can solve my problem just by doing all that written there, and manually just add(type) my list(s) of IoC into those files (the mal-ip-list, mal-url-list, and mal-md5-list files) at the /var/ossec/etc/lists/ directory of the Wazuh server?
Pacome Kemkeu
Oct 4, 2023, 2:24:48 AM10/4/23
to Wazuh | Mailing List
Hello @Sat Slamkhan,
A short answer to your question is yes.
That blog post aimed to help you automate the process of building your Threat intelligence database using CDB lists based on events that occured in your environment. However, if you already have an IOC base(ips, hashes,urls), you can add them manually into these files. Just make sure to respect the format used for each IoC.
The script continuously read the file and compare the IoCs in there with the one from new events.
If one of the IoCs you added manually is detected in an event, you'll be notified of its existence.
I hope you find this helpful.
A short answer to your question is yes.
That blog post aimed to help you automate the process of building your Threat intelligence database using CDB lists based on events that occured in your environment. However, if you already have an IOC base(ips, hashes,urls), you can add them manually into these files. Just make sure to respect the format used for each IoC.
The script continuously read the file and compare the IoCs in there with the one from new events.
If one of the IoCs you added manually is detected in an event, you'll be notified of its existence.
I hope you find this helpful.
Sat Slamkhan
Oct 4, 2023, 2:47:26 AM10/4/23
to Wazuh | Mailing List
Thank you very much!
Sat Slamkhan
Oct 4, 2023, 2:49:43 AM10/4/23
to Wazuh | Mailing List
Can you tell me what extencions should those files have? (mal-ip-list, mal-url-list, and mal-md5-list files)
Pacome Kemkeu
Oct 4, 2023, 2:58:12 AM10/4/23
to Wazuh | Mailing List
Hello Sat,
The list file is a plain text file.
The list file is a plain text file.
Reply all
Reply to author
Forward
0 new messages