ThreatFox IOC Tracker Data Adapter

This is a Graylog Enterprise feature. A valid Graylog Enterprise license is required.

ThreatFox is a project from abuse.ch that tracks indicators of compromise (IOCs) associated with malware. The ThreatFox Data Adapter supports lookups by the following key types:

URL
Domain
IP:port
MD5 hash
SHA256 hash

When you create the data adapter, ThreatFox downloads and stores the data set in MongoDB. The Refresh Interval configuration parameter identifies when to fetch new sets.

Sample Lookup Data

A lookup for the file hash 923fa80da84e45636a62f779913559a07420a1c6e21f093d87ddfe04bda683c4 may produce the following output:

Copy

{
  "first_seen_utc": "2021-07-07T17:03:57.000+0000",
  "ioc_id": "158365",
  "ioc_value": "923fa80da84e45636a62f779913559a07420a1c6e21f093d87ddfe04bda683c4",
  "ioc_type": "sha256_hash",
  "threat_type": "payload",
  "fk_malware": "win.agent_tesla",
  "malware_alias": [
    "AgenTesla",
    "AgentTesla",
    "Negasteal"
  ],
  "malware_printable": "Agent Tesla",
  "confidence_level": 50,
  "reference": "https://twitter.com/RedBeardIOCs/status/1412819661419433988",
  "tags": [
    "agenttesla"
  ],
  "anonymous": false,
  "reporter": "Virus_Deck"
}

Configure the Data Adapter

Title
- A short title for the data adapter.
Description
- A description of the data adapter.
Name
- A unique name for the data adapter.
Custom Error TTL
- Optional custom TTL for caching erroneous results. The default value is 5 seconds.
Include IOCs Older Than 90 Days
- Optional setting that includes IOCs older than 90 days. By default, Data Adapter's data does not include IOCs older than 90 days. To avoid false positives, handle IOCs older than 90 days carefully.
Refresh Interval - Determines how often to fetch new data. The minimum refresh interval is 3600 seconds (1 hour), because that is how often the source data updates.
Case Insensitive Lookup - Allows the data adapter to perform case-insensitive lookups.