Extension of the Intel Framework #3256
Closed
chrisanag1985
started this conversation in
Ideas
Replies: 1 comment
-
Thanks @chrisanag1985 - I'm closing this. There is now a |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Intro
Extend the Intel Framework in order for the user can define custom scripts with maybe a hook/event, in the case indicator that does not match with the provided IOCs.
Little Research
I am developing a script in which, if an indicator is not found in the Intel list, the user can define some
actions
, e.g. sending the hash or file to a sandbox.As it is written now by script, I have to re-insert an indicator against the Intel data, something that is not optimal.
After a little research, I found that when an indicator is extracted is sent to the
Intel::seen
exposed function.The internal
find(s)
function searches in the datastore to find matches. If the match succeeds you have theIntel::match
event orIntel::extend_match
hook where the user can add custom code. But if there is no match you cannot add your code.Hence I propose adding a point where the user can add code when there is no match and/or create an exposed function
find
which returns for example T/F is it finds the indicator in the datastore.Beta Was this translation helpful? Give feedback.
All reactions