Updated Intel files and OTX script for UpperCase Hashes

Hashes in Sysmon have strings in Uppercase. - updated OTX script - updated OTX intel files
2017-12-06 03:19:02 -08:00 · 2017-12-06 03:19:02 -08:00 · 46ab102c5f
parent 4a2d1a1cb5
commit 46ab102c5f
8 changed files with 27827 additions and 27782 deletions
--- a/logstash/intel/.DS_Store
+++ b/logstash/intel/.DS_Store
--- a/logstash/intel/otx/otx_imphash_.csv
+++ b/logstash/intel/otx/otx_imphash_.csv
@ -1 +1 @@
-e160ef8e55bb9d162da4e266afd9eef3,CBT-Locker ransomeware
+E160EF8E55BB9D162DA4E266AFD9EEF3,CBT-Locker ransomeware
--- a/logstash/intel/otx/otx_md5_.csv
+++ b/logstash/intel/otx/otx_md5_.csv
--- a/logstash/intel/otx/otx_sha1_.csv
+++ b/logstash/intel/otx/otx_sha1_.csv
--- a/logstash/intel/otx/otx_sha256_.csv
+++ b/logstash/intel/otx/otx_sha256_.csv
--- a/logstash/pipeline/11-sysmon-filter.conf
+++ b/logstash/pipeline/11-sysmon-filter.conf
@ -29,6 +29,21 @@ filter {
        }
        remove_field => ["message"]
      }
+      translate {
+        field => "[hash][MD5]"
+        destination => "[otx][MD5]"
+        dictionary_path => "/opt/otx/otx_md5_.csv"
+      }
+      translate {
+        field => "[hash][SHA1]"
+        destination => "[otx][SHA1]"
+        dictionary_path => "/opt/otx/otx_sha1_.csv"
+      }
+      translate {
+        field => "[hash][SHA256]"
+        destination => "[otx][SHA256]"
+        dictionary_path => "/opt/otx/otx_sha256_.csv"
+      }
    }
    if [event_id] == 3 {
      mutate {
@ -52,6 +67,11 @@ filter {
        }
        remove_field => ["message"]
      }
+      translate {
+        field => "[destination][ip]"
+        destination => "[otx][ip]"
+        dictionary_path => "/opt/otx/otx_ipv4_.csv"
+      }
    }
    if [event_id] == 7 {
      kv {
@ -75,6 +95,21 @@ filter {
        }
        remove_field => ["message"]
      }
+      translate {
+        field => "[hash][MD5]"
+        destination => "[otx][MD5]"
+        dictionary_path => "/opt/otx/otx_md5_.csv"
+      }
+      translate {
+        field => "[hash][SHA1]"
+        destination => "[otx][SHA1]"
+        dictionary_path => "/opt/otx/otx_sha1_.csv"
+      }
+      translate {
+        field => "[hash][SHA256]"
+        destination => "[otx][SHA256]"
+        dictionary_path => "/opt/otx/otx_sha256_.csv"
+      }
    }
    if [event_id] == 8 {
      mutate {
--- a/scripts/helk_install.sh
+++ b/scripts/helk_install.sh
@ -212,7 +212,7 @@ ERROR=$?
 # *********** Copying Intel files to HELK ***************
 echo "[HELK INFO] Copying Intel files to HELK"
 mkdir /opt/otx
-cp -V ../logstash/intel/* /opt/otx/>> $LOGFILE 2>&1
+cp -v ../logstash/intel/* /opt/otx/>> $LOGFILE 2>&1
 ERROR=$?
    if [ $ERROR -ne 0 ]; then
        echoerror "Could not copy intel files to HELK (Error Code: $ERROR)."
--- a/scripts/otx_helk.py
+++ b/scripts/otx_helk.py
@ -43,7 +43,7 @@ def OTXEnrichment():

    def pull_indicators(lst, name):
        object = {
-            'indicator_name' : i['indicator_name'],
+            'indicator_name' : (i['indicator_name']).upper(),
            'pulse_name' : i['pulse_name'],
            'ioc_name': name
        }