Hello Energy Community, I need assistance on how to effectively use the .blacklist index generated by misp_threat_lists.sh and create efficient alert rules based on the IOCs from this script. I want to leverage the .blacklists index for identifying indicators of compromise (IOCs) provided by misp_threat_lists.sh. However, using a Logstash filter to compare logs against each IOC in the blacklist seems resource-intensive and could lead to performance issues. Questions: What are the best practices for configuring Logstash or other tools to efficiently use the .blacklists index? How can I create rules that use the IOCs from the .blacklists index without significantly impacting system performance? Are there alternative methods or tools recommended for handling IOC comparisons more efficiently? Any guidance or examples from similar implementations would be greatly appreciated. Thank you!

Efficient Use of .blacklist Index and Alert Rules with misp_threat_lists.sh

Sazer

Hello Energy Community,

I need assistance on how to effectively use the .blacklist index generated by misp_threat_lists.sh and create efficient alert rules based on the IOCs from this script.

I want to leverage the .blacklists index for identifying indicators of compromise (IOCs) provided by misp_threat_lists.sh. However, using a Logstash filter to compare logs against each IOC in the blacklist seems resource-intensive and could lead to performance issues.

Questions:

What are the best practices for configuring Logstash or other tools to efficiently use the .blacklists index?
How can I create rules that use the IOCs from the .blacklists index without significantly impacting system performance?
Are there alternative methods or tools recommended for handling IOC comparisons more efficiently?

Any guidance or examples from similar implementations would be greatly appreciated.

Thank you!

SzymonC

Hi Sazer, it's good to have you with us!

Generally speaking, .blacklists and lists of IOCs are constructed in Energy Logserver in a way to work with existing information with optimal performance usage.
If you would constantly compare data to IOC inside database, then yes - that could impact performance, but since we have IOC in two places (database and flat files), there's no point of doing that and engage database in the process.
When Logstash is starting, it loads IOC dictionaries into its memory and we are using that mechanism to parse IOC verification. In that way we don't have to engage database into this process, thus avoiding huge amount of queries.

As for using this in alerting - I'd say that best way is to use Blacklist-IOC Alert type. This is specially modified blacklist type, which can handle big files/dictionaries to compare values.
Example:

# (Required)
# The field used to build set from documents in response and compare with blacklist-ioc field
compare_key: dst.ip

# (Required)
# !yaml directive supported
blacklist-ioc:
  - "!yaml /etc/logstash/lists/misp_ip.yml"

Let me know if you have any further questions.

Sazer

SzymonC I've got it all. Thanks for your invaluable help!