This is documentation for Tenzir v4.23, which is no longer actively maintained.
For up-to-date documentation, see the latest version (v4.24).
Version: v4.23
Enrich with Threat Intel
Tenzir has a powerful contextualization framework for real-time enrichment of a
dataflow with a lookup table, a GeoIP
database, or a custom plugin. The heart of the
framework is a context—a stateful object that can be
managed with the context operator and used with
the enrich operator.
Prior to enriching, you need to populate a context with data. First, let's a
create a context called threatfox that uses a lookup
table, i.e., a key-value mapping where a key is
used to perform the context lookup and the value can be any structured
additional data.
context create threatfox lookup-table
This yields the following pipeline output:
After creating a context, we load data into the context. In our example, we load
data from the ThreatFox API:
from https://threatfox-api.abuse.ch/api/v1/ query=get_iocs days:=1 | yield data[] | where ioc_type == "domain" | context update threatfox --key ioc
Example data for context updating
If we replace the context operator in the above pipeline with head 5, we get
output similar to the following, depending on the current state of the API:
The pipeline context update may yield:
That is, 57 entries have been added successfully to the threatfox context.
Now that we loaded IoCs into the context, we can enrich with it in other
pipelines. Since we previously imported only domains, we would look for fields
in the data of that type.
The following pipeline subscribes to the import feed of all data arriving at the
node via export --live and applies the threatfox context to Suricata DNS
requests in field dns.rrname via enrich.
Here is a sample of an event that the above pipeline yields:
The sub-record threatfox holds the enrichment details. The field key
contains the matching key. The field context is the row from the lookup table
at key bza.fartit.com. The field timestamp is the time when the enrichment
occurred.