Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provide configuration options for pulling from threat intel feeds #532

Closed
mmguero opened this issue Dec 17, 2024 · 0 comments
Closed

provide configuration options for pulling from threat intel feeds #532

mmguero opened this issue Dec 17, 2024 · 0 comments
Assignees
@mmguero
Labels
enhancement New feature or request install.py Relating to the install.py configuration script intel Related to integration with threat intel feeds zeek Relating to Malcolm's use of Zeek
Milestone
v24.12.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Dec 17, 2024
edited
Loading

Provide configuration options for pulling from threat intel feeds so the user doesn't have to manually edit the environment variables:

New questions in the ./scripts/configure script:

  • Configure pulling from threat intelligence feeds for Zeek intelligence framework?
    • Answer Y to configure pulling from threat intelligence feeds to populate the Zeek intelligence framework. Answer N to leave settings for pulling from threat intelligence feeds unmodified.
    • Pull from threat intelligence feeds on startup?
      • Answer Y for Malcolm to pull from threat intelligence feeds when the zeek-offline container starts up.
    • Cron expression for scheduled pulls from threat intelligence feeds
    • Threat indicator "since" period
      • When querying a TAXII, MISP, or Mandiant threat intelligence feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (01/01/2025) or relative interval (7 days ago).
    • Intel::item_expiration timeout for intelligence items (-1min to disable)

After configuring these options, the user is told where to place the feed definitions (which are not prompted as inputs here, at least not yet, as they can be rather complicated).
@mmguero mmguero added enhancement New feature or request install.py Relating to the install.py configuration script intel Related to integration with threat intel feeds zeek Relating to Malcolm's use of Zeek labels Dec 17, 2024
@mmguero mmguero self-assigned this Dec 17, 2024
@mmguero mmguero added this to Malcolm Dec 17, 2024
@mmguero mmguero moved this to Testing in Malcolm Dec 17, 2024
@mmguero mmguero added this to the v24.12.0 milestone Dec 17, 2024
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 17, 2024
@mmguero
cisagov#532, provide configuration options for pulling from threat in…
32bd73b 
…tel feeds
@mmguero mmguero closed this as completed Dec 17, 2024
@github-project-automation github-project-automation bot moved this from Testing to Done in Malcolm Dec 17, 2024
This was referenced Dec 18, 2024
Merged
Merged
@mmguero mmguero moved this from Done to Released in Malcolm Dec 19, 2024
@reuteras reuteras mentioned this issue Dec 20, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
enhancement New feature or request install.py Relating to the install.py configuration script intel Related to integration with threat intel feeds zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Released
Milestone
v24.12.0
Development

No branches or pull requests
1 participant
@mmguero