This is a Graylog Operations feature and is only available since Graylog v3.3+. A valid Graylog Operations license is required.

ThreatFox is a project from abuse.ch that tracks indicators of compromise (IOCs) associated with malware. The ThreatFox Data Adapter supports lookups by the following key types:

  • URL
  • Domain
  • IP:port
  • MD5 hash
  • SHA256 hash

When you create the data adapter, ThreatFox downloads and stores the data set in MongoDB. Refresh Interval configuration identifies when to fetch new sets.

Sample Lookup Data

A lookup for the file hash 923fa80da84e45636a62f779913559a07420a1c6e21f093d87ddfe04bda683c4 may produce the following output:

Copy 
{
  "first_seen_utc": "2021-07-07T17:03:57.000+0000",
  "ioc_id": "158365",
  "ioc_value": "923fa80da84e45636a62f779913559a07420a1c6e21f093d87ddfe04bda683c4",
  "ioc_type": "sha256_hash",
  "threat_type": "payload",
  "fk_malware": "win.agent_tesla",
  "malware_alias": [
    "AgenTesla",
    "AgentTesla",
    "Negasteal"
  ],
  "malware_printable": "Agent Tesla",
  "confidence_level": 50,
  "reference": "https://twitter.com/RedBeardIOCs/status/1412819661419433988",
  "tags": [
    "agenttesla"
  ],
  "anonymous": false,
  "reporter": "Virus_Deck"
}

Data Adapter Configuration

  • Title

    • A short title for the data adapter.

  • Description

    • A description of the data adapter.

  • Name

    • A unique name for the data adapter.

  • Custom Error TTL

    • Optional custom TTL for caching erroneous results. The default value is 5 seconds.

  • Include IOCs Older Than 90 Days

    • Optional setting that includes IOCs older than 90 days. By default, Data Adapter's data does not include IOCs older than 90 days. To avoid false positives, handle IOCs older than 90 days carefully.

  • Refresh Interval - Determines how often to fetch new data. The minimum refresh interval is 3600 seconds (1 hour), because that is how often the source data updates.

  • Case Insensitive Lookups - Allows the data adapter to perform case-insensitive lookups.