extend intel.log with additional fields using corelight/ExtendIntel (part 2) #695
Description
Continuation of #502
- see if there's anything else we need to do in https://github.com/idaholab/Malcolm/blob/main/shared/bin/zeek_threat_feed_utils.py to make sure those new fields get populated (see also the zeek docs)
- search for
ZEEK_INTEL_METAand myTODOcomment about what still needs to be mapped - Mandiant provides some fields that might map well:
- Mandiant's reports (enable via
include_reportsinmandiant.yamltometa.reports - Mandiant's campaigns (enable via
include_campaignsinmandiant.yamltometa.campaigns - Mandiant's category (enable via
include_categoryinmandiant.yamltometa.category(these are currently already mapped tometa.cif_tagsas well as a few other things, so we may have to deconflict this) - Mandiant's threat rating (enable via
include_threat_ratinginmandiant.yamltometa.threat_score
- Mandiant's reports (enable via
- check STIX/TAXII as well
- check MISP as well
- search for
- see if there are any mutations or normalizations or time field conversions that need to be done for the new fields (depending on what we do above)
- as much as possible, rename all possible fields to be their ECS names
- add any remaining fields not covered by ECS to the template and config.ini and the allFields array for the value actions for Arkime
- update the intel dashboard if needed