Part 8. Firewall Threat Intel With GreyNoise

Quickly spot malicious IPs observed by your firewall

PART ONE: Backend Storage

PART TWO: Log Ingestion

PART THREE: Log Analysis

PART FOUR: Wazuh Agent Install

PART FIVE: Intelligent SIEM Logging

PART SIX: Best Open Source SIEM Dashboards

PART SEVEN: Firewall Log Collection Made Easy

Walkthrough Video

Intro

In Part 7 — Firewall Log Collection Made Easy we configured Graylog to receive, parse, and write our collected firewall logs into our SIEM backend. While this is great for visualizing our data, let’s take it a step further and enrich our collected firewall logs with threat intelligence provided by GREYNOISE.

Threat Intel With GreyNoise

Let’s add some Threat Intel using GreyNoise’s API that Graylog will use to enrich our connected to IP addresses with GreyNoise’s intelligence. This allows us to quickly spot malicious IPs whose traffic was observed through our pfSense logs.

CREATE YOUR FREE API KEY WITH GREYNOISE BEFORE PROGRESSING

Data Flow

We first need to understand the full route our data will take during the enrichment process.

Data Flow HLD

1. Logs forwarded from Firewall to Graylog (READ PART SEVEN)
2. Graylog checks if the received log contains the field name DestIP

DestIP Field Name

3. Graylog invokes the GREYNOISE API and receives the response

4. Graylog enriches the original log with the GREYNOISE response

Greynoise Enrichment

5. Graylog writes the log to the SIEM Backend (Wazuh-Indexer)

Create Data Adapter

Within Graylog, we first need to create a Data Adapter . The Data Adapter is where we configure the API request that will be made, such as the URL, Auth keys, Headers, etc.

1. Navigate to System -> Lookup Tables and select Data Adapters .

Create a Data Adapter

2. Select GreyNoise Community IP Lookup and configure the Data Adapter with your API key.

Data Adapter Configuration

3. Verify your API key is correct by testing a lookup for 45.83.66.207

API Results Received

Create Data Cache

Another benefit with using Graylog is the built in Data Caching. Most API services limit the amount of API requests that end users are allowed to make over a given timeframe. This limitation results in our automated Threat Intel providing no value once our API limit has been reached.

To combat this issue, we implement Graylog Data Caching. The caches are responsible for caching the lookup results to improve the lookup performance and/or to avoid overloading databases and APIs. Prior to invoking an API call to Greynoise, Graylog will first check the internal cache. If the DestIP was previously enriched with Greynoise API results, those entries are stored within the Graylog Data Cache, and there is no need for Graylog to invoke the Greynoise API again. Thus saving our API quota.

1. Navigate to System -> Lookup Tables and select Caches .

Create a Cache

2. Create the Cache to hold Greynoise API results.

Greynoise Data Cache

Notice Expire after access can be tweaked to your liking. Bear in mind that higher expire times will consume more memory of your Graylog node

Create Lookup Table

The lookup table component ties together a data adapter instance and a cache instance. It is needed to actually enable the usage of the lookup table in extractors, converters, pipeline functions and decorators.

1. Navigate to System -> Lookup Tables and select Lookup Tables .

Create Lookup Table

2. Configure the Greynoise Lookup Table. Ensure you point to your previously created Data Adapter and Cache .

Greynoise Lookup Table

Creating Pipeline Rule

With our Lookup Table configured, we need to tell Graylog when we want to invoke the Greynoise API. This is acheived by creating a Pipeline Rule .

1. Navigate to System -> Pipelines and select Manage rules.

Manage Rules

2. Create the GreyNoise Lookup on DestIP Rule

rule "GreyNoise Lookup on DestIP"
when
    has_field("DestIP")
then
    let ldata = lookup(
        lookup_table: "greynoise",
        key: to_string($message.DestIP)
    );
    set_fields(
        fields: ldata,
        prefix: "greynoise_"
        );
end

We are instructing Graylog to use the greynoise Lookup table only when the consumed log has the DestIP field. The set_fields function is responsible for enriching our log with the response back from Greynoise and adding the prefix of greynoise_ to every field name.

3. Create the Greynoise Pipeline and add your firewall stream that we configured in Part Seven.

Greynoise Pipeline

4. Within Stage 0 add the GreyNoise Lookup on DestIP pipeline rule.

Stage 0 Pipeline Rule

Results

Head over to your Firewall Stream and observe the enrichment taking place!

GreyNoise API Enrichment

You can now start to build dashboards, such as we did in Part 6, and alerts to notify the SOC team when Greynoise detects a malicious IP address contained within your Firewall logs!

Conclusion

Throughout this blog post we configured Graylog to enrich our ingested Firewall logs with Greynoise’s API. This post only touches the surface of automation and data enrichment that is possible with Graylog! So what are you waiting for? Start enriching your data with Threat Intel now! Happy Defending 😄.

Need Help?

The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Professional Services: https://www.socfortress.co/ps.html