work in progress for mandiant threat intel integration, cisagov#358

mmguero-dev · Nov 8, 2024 · e870532 · e870532
1 parent d970aba
commit e870532
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/logstash/pipelines/zeek/1029_zeek_intel.conf b/logstash/pipelines/zeek/1029_zeek_intel.conf
@@ -42,8 +42,11 @@ filter {
       }
     }
 
+    # "sources" is handled differently because of some weirdness between creating the meta.source field in the
+    #   intel file (which seems to be a string) and the sources field in intel.log (which is a set of string)
+    #   so we're doing our own | pseudo-delimiter to work around it.
     mutate { id => "mutate_split_zeek_intel_commas"
-             split => { "[zeek_cols][sources]" => ","
+             split => { "[zeek_cols][sources]" => "|"
                         "[zeek_cols][matched]" => ","
                         "[zeek_cols][cif_tags]" => "," } }
 

diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py
@@ -231,7 +231,7 @@ def map_mandiant_indicator_to_zeek(
         if hasattr(indicator, 'last_seen'):
             zeekItem[ZEEK_INTEL_CIF_LASTSEEN] = str(mktime(indicator.last_seen.timetuple()))
         if hasattr(indicator, 'sources'):
-            zeekItem[ZEEK_INTEL_META_SOURCE] = ','.join(
+            zeekItem[ZEEK_INTEL_META_SOURCE] = '\\x7c'.join(
                 list(
                     {
                         entry['source_name'].replace(',', '\\x2c')
@@ -455,7 +455,7 @@ def map_stix_indicator_to_zeek(
         zeekItem = defaultdict(lambda: '-')
 
         zeekItem[ZEEK_INTEL_META_SOURCE] = (
-            ','.join([x.replace(',', '\\x2c') for x in source])
+            '\\x7c'.join([x.replace(',', '\\x2c') for x in source])
             if source is not None and len(source) > 0
             else str(indicator.id)
         )
@@ -539,7 +539,7 @@ def map_misp_attribute_to_zeek(
         zeekItem = defaultdict(lambda: '-')
 
         if source is not None and len(source) > 0:
-            zeekItem[ZEEK_INTEL_META_SOURCE] = ','.join([x.replace(',', '\\x2c') for x in source])
+            zeekItem[ZEEK_INTEL_META_SOURCE] = '\\x7c'.join([x.replace(',', '\\x2c') for x in source])
         if description is not None:
             zeekItem[ZEEK_INTEL_META_DESC] = description
         if url is not None: