mirror of
https://github.com/certat/intelmq-docker.git
synced 2025-12-06 09:12:49 +01:00
1330 lines
54 KiB
Plaintext
1330 lines
54 KiB
Plaintext
{
|
|
"Collector": {
|
|
"AMQP": {
|
|
"description": "Collect data from an AMQP Server and fetch either intelmq or any other messages. Requires the pika python library.",
|
|
"module": "intelmq.bots.collectors.amqp.collector_amqp",
|
|
"parameters": {
|
|
"connection_attempts": 3,
|
|
"connection_heartbeat": 3600,
|
|
"connection_host": "127.0.0.1",
|
|
"connection_port": 5672,
|
|
"connection_vhost": "<your virtual host>",
|
|
"expect_intelmq_message": false,
|
|
"name": "My Queue",
|
|
"password": "<your amqp password>",
|
|
"provider": "AMQP Collector",
|
|
"queue_name": "<your routing key>",
|
|
"use_ssl": false,
|
|
"username": "<your amqp username>"
|
|
}
|
|
},
|
|
"API": {
|
|
"description": "Collect data by exposing a HTTP API interface.",
|
|
"module": "intelmq.bots.collectors.api.collector_api",
|
|
"parameters": {
|
|
"name": "API",
|
|
"port": 5000,
|
|
"provider": "APICollector"
|
|
}
|
|
},
|
|
"File": {
|
|
"description": "Fetch data from the file system.",
|
|
"module": "intelmq.bots.collectors.file.collector_file",
|
|
"parameters": {
|
|
"chunk_replicate_header": true,
|
|
"chunk_size": null,
|
|
"delete_file": false,
|
|
"name": "__FEED__",
|
|
"path": "/tmp/",
|
|
"postfix": ".csv",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 300
|
|
}
|
|
},
|
|
"Kafka": {
|
|
"description": "Fetch data from the Apache Kafka distributed stream processing system.",
|
|
"module": "intelmq.bots.collectors.kafka.collector",
|
|
"parameters": {
|
|
"bootstrap_servers": "localhost:9092",
|
|
"topic": "<topic>"
|
|
}
|
|
},
|
|
"Mail Attachment Fetcher": {
|
|
"description": "Monitor IMAP mailboxes and retrieve mail attachments.",
|
|
"module": "intelmq.bots.collectors.mail.collector_mail_attach",
|
|
"parameters": {
|
|
"attach_regex": "csv.zip",
|
|
"extract_files": true,
|
|
"folder": "INBOX",
|
|
"mail_host": "<host>",
|
|
"mail_password": "<password>",
|
|
"mail_ssl": true,
|
|
"mail_user": "<user>",
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 60,
|
|
"subject_regex": "<subject>"
|
|
}
|
|
},
|
|
"Mail URL Fetcher": {
|
|
"description": "Monitor IMAP mailboxes and fetch files from URLs contained in mail bodies.",
|
|
"module": "intelmq.bots.collectors.mail.collector_mail_url",
|
|
"parameters": {
|
|
"chunk_replicate_header": true,
|
|
"chunk_size": null,
|
|
"folder": "INBOX",
|
|
"http_password": null,
|
|
"http_username": null,
|
|
"mail_host": "<host>",
|
|
"mail_password": "<password>",
|
|
"mail_ssl": true,
|
|
"mail_user": "<user>",
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 60,
|
|
"ssl_client_certificate": null,
|
|
"subject_regex": "<subject>",
|
|
"url_regex": "http://"
|
|
}
|
|
},
|
|
"Mail Body Fetcher": {
|
|
"description": "Monitor IMAP mailboxes and fetch mail bodies.",
|
|
"module": "intelmq.bots.collectors.mail.collector_mail_body",
|
|
"parameters": {
|
|
"content_types": true,
|
|
"folder": "INBOX",
|
|
"mail_host": "<host>",
|
|
"mail_password": "<password>",
|
|
"mail_ssl": true,
|
|
"mail_user": "<user>",
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 60,
|
|
"subject_regex": "<subject>"
|
|
}
|
|
},
|
|
"URL Fetcher": {
|
|
"description": "Fetch reports from an URL.",
|
|
"module": "intelmq.bots.collectors.http.collector_http",
|
|
"parameters": {
|
|
"extract_files": false,
|
|
"gpg_keyring": null,
|
|
"http_password": null,
|
|
"http_url": "<insert url of feed>",
|
|
"http_url_formatting": false,
|
|
"http_username": null,
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 3600,
|
|
"signature_url": null,
|
|
"signature_url_formatting": false,
|
|
"ssl_client_certificate": null,
|
|
"verify_pgp_signatures": false
|
|
}
|
|
},
|
|
"URL Stream Fetcher": {
|
|
"description": "Open a streaming connection to the URL and process data per line.",
|
|
"module": "intelmq.bots.collectors.http.collector_http_stream",
|
|
"parameters": {
|
|
"http_password": null,
|
|
"http_url": "<insert url of feed>",
|
|
"http_username": null,
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 3600,
|
|
"ssl_client_certificate": null,
|
|
"strip_lines": true
|
|
}
|
|
},
|
|
"MISP Generic": {
|
|
"description": "Collect events from a MISP server.",
|
|
"module": "intelmq.bots.collectors.misp.collector",
|
|
"parameters": {
|
|
"misp_key": "<insert MISP Authkey>",
|
|
"misp_tag_processed": "<insert MISP tag for processed events, optional>",
|
|
"misp_tag_to_process": "<insert MISP tag for events to be processed>",
|
|
"misp_url": "<insert url of MISP server (with trailing '/')>",
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 3600
|
|
}
|
|
},
|
|
"Request Tracker": {
|
|
"description": "Fetches attachments and URLs from an Request Tracker ticketing server.",
|
|
"module": "intelmq.bots.collectors.rt.collector_rt",
|
|
"parameters": {
|
|
"attachment_regex": "\\.csv\\.zip$",
|
|
"extract_attachment": true,
|
|
"extract_download": true,
|
|
"http_password": null,
|
|
"http_username": null,
|
|
"name": "__FEED__",
|
|
"password": "password",
|
|
"provider": "__PROVIDER__",
|
|
"rate_limit": 3600,
|
|
"search_not_older_than": null,
|
|
"search_owner": "nobody",
|
|
"search_queue": "Incident Reports",
|
|
"search_requestor": null,
|
|
"search_status": "new",
|
|
"search_subject_like": "Report",
|
|
"set_status": "open",
|
|
"ssl_client_certificate": null,
|
|
"take_ticket": true,
|
|
"uri": "http://localhost/rt/REST/1.0",
|
|
"url_regex": "https://dl.shadowserver.org/[a-zA-Z0-9?_-]*",
|
|
"user": "intelmq"
|
|
}
|
|
},
|
|
"Rsync": {
|
|
"description": "Collect data with rsync from any resource rsync supports.",
|
|
"module": "intelmq.bots.collectors.rsync.collector_rsync",
|
|
"parameters": {
|
|
"file": "<file>",
|
|
"name": "RsyncCollector",
|
|
"rate_limit": 1000,
|
|
"rsync_path": "<path>"
|
|
}
|
|
},
|
|
"TCP": {
|
|
"description": "Receive events by opening a TCP port (ex: from TCP Output of another IntelMQ instance).",
|
|
"module": "intelmq.bots.collectors.tcp.collector",
|
|
"parameters": {
|
|
"ip": "<ip>",
|
|
"name": "__FEED__",
|
|
"port": "<port>",
|
|
"provider": "__PROVIDER__"
|
|
}
|
|
},
|
|
"XMPP": {
|
|
"description": "Connect to an XMPP Server and a room, in order to receive reports from it. TLS is used by default. Bot can either pass on the body or the whole event.",
|
|
"module": "intelmq.bots.collectors.xmpp.collector",
|
|
"parameters": {
|
|
"ca_certs": "/etc/ssl/certs/ca-certificates.crt",
|
|
"name": "__FEED__",
|
|
"pass_full_xml": false,
|
|
"provider": "__PROVIDER__",
|
|
"strip_message": true,
|
|
"use_muc": false,
|
|
"xmpp_password": "<xmpp password>",
|
|
"xmpp_room": null,
|
|
"xmpp_room_nick": null,
|
|
"xmpp_room_password": null,
|
|
"xmpp_server": "<xmpp server>",
|
|
"xmpp_user": "<xmpp username>",
|
|
"xmpp_userlist": null,
|
|
"xmpp_whitelist_mode": false
|
|
}
|
|
},
|
|
"AlienVault OTX": {
|
|
"description": "Collect reports from the AlienVault OTX Collector API. Report varies according to subscriptions.",
|
|
"module": "intelmq.bots.collectors.alienvault_otx.collector",
|
|
"parameters": {
|
|
"api_key": "<insert your api key>",
|
|
"interval": 24,
|
|
"modified_pulses_only": false,
|
|
"name": "OTX",
|
|
"provider": "AlienVault",
|
|
"rate_limit": 3600
|
|
}
|
|
},
|
|
"Blueliv Crimeserver": {
|
|
"description": "Collect reports from the Blueliv Crimeserver API.",
|
|
"module": "intelmq.bots.collectors.blueliv.collector_crimeserver",
|
|
"parameters": {
|
|
"api_key": "<insert your api key>",
|
|
"api_url": "https://freeapi.blueliv.com",
|
|
"name": "Crimeserver",
|
|
"provider": "Blueliv",
|
|
"rate_limit": 3600
|
|
}
|
|
},
|
|
"CertStream": {
|
|
"description": "Collect information from CertStream certificate transparency logs.",
|
|
"module": "intelmq.bots.collectors.calidog.collector_certstream",
|
|
"parameters": {
|
|
"name": "CertStream",
|
|
"provider": "Calidog"
|
|
}
|
|
},
|
|
"ESET ETI TAXII": {
|
|
"description": "Collect data from ESET's TAXII API",
|
|
"module": "intelmq.bots.collectors.eset.collector",
|
|
"parameters": {
|
|
"collection": "<collection>",
|
|
"endpoint": "eti.eset.com",
|
|
"password": "<password>",
|
|
"rate_limit": 3600,
|
|
"time_delta": 3600,
|
|
"username": "<username>"
|
|
}
|
|
},
|
|
"Github API": {
|
|
"description": "Collect files from a GitHub repository via the API. Optionally with GitHub credentials.",
|
|
"module": "intelmq.bots.collectors.github_api.collector_github_contents_api",
|
|
"parameters": {
|
|
"basic_auth_password": "__PASSWORD__",
|
|
"basic_auth_username": "__USERNAME__",
|
|
"name": "__FEED__",
|
|
"provider": "__PROVIDER__",
|
|
"regex": ".*.json",
|
|
"repository": "StrangerealIntel/DailyIOC"
|
|
}
|
|
},
|
|
"McAfee openDXL": {
|
|
"description": "Listen to McAfee openDXL fabric.",
|
|
"module": "intelmq.bots.collectors.opendxl.collector",
|
|
"parameters": {
|
|
"dxl_config_file": "<insert /path/to/dxlclient.config>",
|
|
"dxl_topic": "/mcafee/event/atd/file/report",
|
|
"name": "<Feed Name>"
|
|
}
|
|
},
|
|
"Microsoft Azure": {
|
|
"description": "Fetch data blobs from a Microsoft Azure container.",
|
|
"module": "intelmq.bots.collectors.microsoft.collector_azure",
|
|
"parameters": {
|
|
"connection_string": "<insert your connection string here>",
|
|
"container_name": "<insert the container name>",
|
|
"name": "Azure",
|
|
"provider": "Microsoft",
|
|
"rate_limit": 3600,
|
|
"redis_cache_db": "5",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": 6379,
|
|
"redis_cache_ttl": 864000
|
|
}
|
|
},
|
|
"Microsoft Interflow": {
|
|
"description": "Fetch data from the Microsoft Interflow API.",
|
|
"module": "intelmq.bots.collectors.microsoft.collector_interflow",
|
|
"parameters": {
|
|
"api_key": "",
|
|
"file_match": null,
|
|
"http_timeout_sec": 300,
|
|
"name": "Interflow",
|
|
"not_older_than": "2 days",
|
|
"provider": "Microsoft",
|
|
"rate_limit": 3600,
|
|
"redis_cache_db": "5",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": 6379,
|
|
"redis_cache_ttl": 604800
|
|
}
|
|
},
|
|
"Shadowserver Reports API": {
|
|
"description": "Connects to the Shadowserver API, requests a list of all the reports for a specific country and processes the ones that are new.",
|
|
"module": "intelmq.bots.collectors.shadowserver.collector_reports_api",
|
|
"parameters": {
|
|
"country": "<CC>",
|
|
"api_key": "<API key>",
|
|
"secret": "<API secret>",
|
|
"types": "<single report or list of reports>",
|
|
"rate_limit": 86400,
|
|
"redis_cache_db": 12,
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_port": 6379,
|
|
"redis_cache_ttl": 864000
|
|
}
|
|
},
|
|
"Shodan Stream": {
|
|
"description": "Collect the Shodan stream from the Shodan API.",
|
|
"module": "intelmq.bots.collectors.shodan.collector_stream",
|
|
"parameters": {
|
|
"api_key": "<INSERT your API key>",
|
|
"countries": [],
|
|
"name": "__FEED__",
|
|
"provider": "Shodan"
|
|
}
|
|
},
|
|
"STOMP": {
|
|
"description": "Collect data from a STOMP Interface.",
|
|
"module": "intelmq.bots.collectors.stomp.collector",
|
|
"parameters": {
|
|
"exchange": "<INSERT your exchange point>",
|
|
"name": "Stomp",
|
|
"port": 61614,
|
|
"provider": "N6",
|
|
"server": "n6stream.cert.pl",
|
|
"ssl_ca_certificate": "<insert path to CA file for CERT.pl's n6>",
|
|
"ssl_client_certificate": "<insert path to client cert file for CERT.pl's n6>",
|
|
"ssl_client_certificate_key": "<insert path to client cert key file for CERT.pl's n6>"
|
|
}
|
|
},
|
|
"Twitter": {
|
|
"description": "Collect tweets from given target timelines.",
|
|
"module": "intelmq.bots.collectors.twitter.collector_twitter",
|
|
"parameters": {
|
|
"access_token_key": "",
|
|
"access_token_secret": "",
|
|
"consumer_key": "",
|
|
"consumer_secret": "",
|
|
"default_scheme": "http",
|
|
"exclude_replies": "false",
|
|
"follow_urls": "",
|
|
"include_rts": "true",
|
|
"name": "__FEED__",
|
|
"provider": "Twitter",
|
|
"target_timelines": "",
|
|
"timelimit": "",
|
|
"tweet_count": ""
|
|
}
|
|
}
|
|
},
|
|
"Parser": {
|
|
"Abuse.ch Domain": {
|
|
"description": "Parse Abuse.ch domain feeds.",
|
|
"module": "intelmq.bots.parsers.abusech.parser_domain",
|
|
"parameters": {}
|
|
},
|
|
"Abuse.ch IP": {
|
|
"description": "Parse Abuse.ch IP address feeds.",
|
|
"module": "intelmq.bots.parsers.abusech.parser_ip",
|
|
"parameters": {}
|
|
},
|
|
"AlienVault": {
|
|
"description": "Parse data from the AlienVault API.",
|
|
"module": "intelmq.bots.parsers.alienvault.parser",
|
|
"parameters": {}
|
|
},
|
|
"AlienVault OTX": {
|
|
"description": "Parse data from the AlienVault OTX API.",
|
|
"module": "intelmq.bots.parsers.alienvault.parser_otx",
|
|
"parameters": {}
|
|
},
|
|
"AnubisNetworks Cyberfeed Stream": {
|
|
"description": "Parse single JSON-events from AnubisNetworks Cyberfeed stream.",
|
|
"module": "intelmq.bots.parsers.anubisnetworks.parser",
|
|
"parameters": {
|
|
"use_malware_familiy_as_classification_identifier": true
|
|
}
|
|
},
|
|
"Autoshun": {
|
|
"description": "Parse the Autoshun feed.",
|
|
"module": "intelmq.bots.parsers.autoshun.parser",
|
|
"parameters": {}
|
|
},
|
|
"Bambenek": {
|
|
"description": "Parse the Bambenek feeds.",
|
|
"module": "intelmq.bots.parsers.bambenek.parser",
|
|
"parameters": {}
|
|
},
|
|
"Blocklist.de": {
|
|
"description": "Parse the Blocklist.DE feeds.",
|
|
"module": "intelmq.bots.parsers.blocklistde.parser",
|
|
"parameters": {}
|
|
},
|
|
"Blueliv Crimeserver": {
|
|
"description": "Parse data from the Blueliv Crimeserver API.",
|
|
"module": "intelmq.bots.parsers.blueliv.parser_crimeserver",
|
|
"parameters": {}
|
|
},
|
|
"CERT-EU CSV": {
|
|
"description": "Parse CSV data of the CERT-EU feed.",
|
|
"module": "intelmq.bots.parsers.cert_eu.parser_csv",
|
|
"parameters": {}
|
|
},
|
|
"CI Army": {
|
|
"description": "Parse the CI Army feed.",
|
|
"module": "intelmq.bots.parsers.ci_army.parser",
|
|
"parameters": {}
|
|
},
|
|
"CZ.NIC HaaS": {
|
|
"description": "CZ.NIC HaaS Parser is the bot responsible to parse the report and sanitize the information.",
|
|
"module": "intelmq.bots.parsers.cznic.parser_haas",
|
|
"parameters": {}
|
|
},
|
|
"CZ.NIC Proki": {
|
|
"description": "Parse the feed from malicious IP addresses on Czech networks.",
|
|
"module": "intelmq.bots.parsers.cznic.parser_proki",
|
|
"parameters": {}
|
|
},
|
|
"CertStream": {
|
|
"description": "Parse the CertStream feed.",
|
|
"module": "intelmq.bots.parsers.calidog.parser_certstream",
|
|
"parameters": {}
|
|
},
|
|
"CleanMX": {
|
|
"description": "Parse the CleanMX feeds.",
|
|
"module": "intelmq.bots.parsers.cleanmx.parser",
|
|
"parameters": {}
|
|
},
|
|
"Cymru CAP Program": {
|
|
"description": "Parse the Cymru CAP Program feed.",
|
|
"module": "intelmq.bots.parsers.cymru.parser_cap_program",
|
|
"parameters": {}
|
|
},
|
|
"Cymru Full Bogons": {
|
|
"description": "Parse the Cymru Full Bogons feed.",
|
|
"module": "intelmq.bots.parsers.cymru.parser_full_bogons",
|
|
"parameters": {}
|
|
},
|
|
"DShield AS": {
|
|
"description": "Parse the DShield AS.",
|
|
"module": "intelmq.bots.parsers.dshield.parser_asn",
|
|
"parameters": {}
|
|
},
|
|
"DShield Block": {
|
|
"description": "Parse the DShield Block feed.",
|
|
"module": "intelmq.bots.parsers.dshield.parser_block",
|
|
"parameters": {}
|
|
},
|
|
"DShield Suspicious Domains": {
|
|
"description": "Parse the DShield Suspicious Domains feed.",
|
|
"module": "intelmq.bots.parsers.dshield.parser_domain",
|
|
"parameters": {}
|
|
},
|
|
"Danger Rulez": {
|
|
"description": "Parse the Danger Rulez feed.",
|
|
"module": "intelmq.bots.parsers.danger_rulez.parser",
|
|
"parameters": {}
|
|
},
|
|
"Dataplane": {
|
|
"description": "Parse the Dataplane feeds.",
|
|
"module": "intelmq.bots.parsers.dataplane.parser",
|
|
"parameters": {}
|
|
},
|
|
"DynDNS ponmocup Domains": {
|
|
"description": "Parse the DynDNS ponmocup feed.",
|
|
"module": "intelmq.bots.parsers.dyn.parser",
|
|
"parameters": {}
|
|
},
|
|
"ESET": {
|
|
"description": "Parse data collected from ESET's TAXII API",
|
|
"module": "intelmq.bots.parsers.eset.parser",
|
|
"parameters": {}
|
|
},
|
|
"Fraunhofer DGA": {
|
|
"description": "Parse the Fraunhofer DGA feed.",
|
|
"module": "intelmq.bots.parsers.fraunhofer.parser_dga",
|
|
"parameters": {}
|
|
},
|
|
"Generic CSV": {
|
|
"description": "Parse generic CSV data. Ignoring lines starting with character #. URLs without protocol can be prefixed with a default value.",
|
|
"module": "intelmq.bots.parsers.generic.parser_csv",
|
|
"parameters": {
|
|
"column_regex_search": {},
|
|
"columns": [
|
|
"",
|
|
"source.fqdn"
|
|
],
|
|
"compose_fields": null,
|
|
"default_url_protocol": "http://",
|
|
"delimiter": ",",
|
|
"filter_text": null,
|
|
"filter_type": null,
|
|
"skip_header": true,
|
|
"time_format": null,
|
|
"type": "c2server",
|
|
"type_translation": null
|
|
}
|
|
},
|
|
"Github": {
|
|
"description": "Parse known GitHub feeds.",
|
|
"module": "intelmq.bots.parsers.github_feed.parser",
|
|
"parameters": {}
|
|
},
|
|
"HTML Table": {
|
|
"description": "Parse HTML table data.",
|
|
"module": "intelmq.bots.parsers.html_table.parser",
|
|
"parameters": {
|
|
"attribute_name": "",
|
|
"attribute_value": "",
|
|
"columns": [
|
|
"",
|
|
"source.fqdn"
|
|
],
|
|
"default_url_protocol": "http://",
|
|
"ignore_values": [
|
|
"",
|
|
""
|
|
],
|
|
"skip_table_head": true,
|
|
"split_column": "",
|
|
"split_index": 0,
|
|
"split_separator": "",
|
|
"table_index": 0,
|
|
"time_format": null,
|
|
"type": "c2server"
|
|
}
|
|
},
|
|
"Have I been Pwned Enterprise Callback": {
|
|
"description": "Parse reports of the 'Have I Been Pwned' Callback for Enterprise Subscribers.",
|
|
"module": "intelmq.bots.parsers.hibp.parser_callback",
|
|
"parameters": {}
|
|
},
|
|
"JSON": {
|
|
"description": "Parse IntelMQ-JSON data.",
|
|
"module": "intelmq.bots.parsers.json.parser",
|
|
"parameters": {
|
|
"splitlines": false
|
|
}
|
|
},
|
|
"Key-Value": {
|
|
"description": "Parse key=value strings.",
|
|
"module": "intelmq.bots.parsers.key_value.parser",
|
|
"parameters": {
|
|
"keys": {},
|
|
"kv_separator": "=",
|
|
"pair_separator": " ",
|
|
"strip_quotes": true,
|
|
"timestamp_key": null
|
|
}
|
|
},
|
|
"MISP": {
|
|
"description": "Parse MISP events.",
|
|
"module": "intelmq.bots.parsers.misp.parser",
|
|
"parameters": {}
|
|
},
|
|
"Malc0de": {
|
|
"description": "Parse the Malc0de IP feed in either IP Blacklist, Windows Format or Bind format.",
|
|
"module": "intelmq.bots.parsers.malc0de.parser",
|
|
"parameters": {}
|
|
},
|
|
"Malware Domains": {
|
|
"description": "Parse the Malware Domains feed.",
|
|
"module": "intelmq.bots.parsers.malwaredomains.parser",
|
|
"parameters": {}
|
|
},
|
|
"MalwarePatrol Dans Guardian": {
|
|
"description": "Parse the MalwarePatrol Dans Guardian feed.",
|
|
"module": "intelmq.bots.parsers.malwarepatrol.parser_dansguardian",
|
|
"parameters": {}
|
|
},
|
|
"Malwareurl": {
|
|
"description": "Parse the MalwareURL feed.",
|
|
"module": "intelmq.bots.parsers.malwareurl.parser",
|
|
"parameters": {}
|
|
},
|
|
"McAfee Advanced Threat Defense": {
|
|
"description": "Parse IoCs from McAfee Advanced Threat Defense reports (hash, IP, URL).",
|
|
"module": "intelmq.bots.parsers.mcafee.parser_atd",
|
|
"parameters": {
|
|
"verdict_severity": "4"
|
|
}
|
|
},
|
|
"Microsoft BingMURLs": {
|
|
"description": "Parse JSON data from Microsoft's Bing Malicious URLs list.",
|
|
"module": "intelmq.bots.parsers.microsoft.parser_bingmurls",
|
|
"parameters": {}
|
|
},
|
|
"Microsoft CTIP": {
|
|
"description": "Parse JSON data from Microsoft's CTIP program.",
|
|
"module": "intelmq.bots.parsers.microsoft.parser_ctip",
|
|
"parameters": {}
|
|
},
|
|
"N6Stomp": {
|
|
"description": "Parse CERT.pl's n6 feed.",
|
|
"module": "intelmq.bots.parsers.n6.parser_n6stomp",
|
|
"parameters": {}
|
|
},
|
|
"Netlab 360": {
|
|
"description": "Parse the Netlab 360 DGA, Hajime, Magnitude and Mirai feeds.",
|
|
"module": "intelmq.bots.parsers.netlab_360.parser",
|
|
"parameters": {}
|
|
},
|
|
"OpenPhish": {
|
|
"description": "Parse the OpenPhish feed.",
|
|
"module": "intelmq.bots.parsers.openphish.parser",
|
|
"parameters": {}
|
|
},
|
|
"OpenPhish Commercial": {
|
|
"description": "Parse the OpenPhish feed.",
|
|
"module": "intelmq.bots.parsers.openphish.parser_commercial",
|
|
"parameters": {}
|
|
},
|
|
"PhishTank": {
|
|
"description": "Parse the PhishTank feed.",
|
|
"module": "intelmq.bots.parsers.phishtank.parser",
|
|
"parameters": {}
|
|
},
|
|
"Shadowserver CSV": {
|
|
"description": "Parse Shadowserver feeds in CSV format.",
|
|
"module": "intelmq.bots.parsers.shadowserver.parser",
|
|
"parameters": {
|
|
"feedname": "",
|
|
"overwrite": true
|
|
}
|
|
},
|
|
"Shadowserver JSON": {
|
|
"description": "Parse all Shadowserver feeds in JSON format (data coming from the reports API).",
|
|
"module": "intelmq.bots.parsers.shadowserver.parser_json",
|
|
"parameters": {
|
|
"feedname": "",
|
|
"overwrite": true
|
|
}
|
|
},
|
|
"Shodan": {
|
|
"description": "Parse Shodan data collected via the Shodan API.",
|
|
"module": "intelmq.bots.parsers.shodan.parser",
|
|
"parameters": {
|
|
"ignore_errors": true,
|
|
"minimal_mode": false
|
|
}
|
|
},
|
|
"Spamhaus CERT": {
|
|
"description": "Parse the Spamhaus CERT feed.",
|
|
"module": "intelmq.bots.parsers.spamhaus.parser_cert",
|
|
"parameters": {}
|
|
},
|
|
"Spamhaus Drop": {
|
|
"description": "Parse the Spamhaus DROP, EDROP, DROPv6, and ASN-DROP feeds.",
|
|
"module": "intelmq.bots.parsers.spamhaus.parser_drop",
|
|
"parameters": {}
|
|
},
|
|
"Sucuri Malware": {
|
|
"description": "Parse the Sucuri Malware Hidden Iframes and Conditional redirections feeds.",
|
|
"module": "intelmq.bots.parsers.sucuri.parser",
|
|
"parameters": {}
|
|
},
|
|
"Surbl": {
|
|
"description": "Parse the Surbl feed.",
|
|
"module": "intelmq.bots.parsers.surbl.parser",
|
|
"parameters": {}
|
|
},
|
|
"Taichung": {
|
|
"description": "Parse the Taichung feed.",
|
|
"module": "intelmq.bots.parsers.taichung.parser",
|
|
"parameters": {}
|
|
},
|
|
"Threatminer": {
|
|
"description": "Parse the Threatminer feed.",
|
|
"module": "intelmq.bots.parsers.threatminer.parser",
|
|
"parameters": {}
|
|
},
|
|
"Turris Greylist": {
|
|
"description": "Parse the Turris Greylist feed.",
|
|
"module": "intelmq.bots.parsers.turris.parser",
|
|
"parameters": {}
|
|
},
|
|
"Twitter": {
|
|
"description": "Parse tweets and extract IoC data. Currently only URLs are supported, a whitelist of safe domains can be provided.",
|
|
"module": "intelmq.bots.parsers.twitter.parser",
|
|
"parameters": {
|
|
"classification_type": "blacklist",
|
|
"domain_whitelist": "t.co",
|
|
"substitutions": ".net;[.]net"
|
|
}
|
|
},
|
|
"VXVault": {
|
|
"description": "Parse the VXVault feed.",
|
|
"module": "intelmq.bots.parsers.vxvault.parser",
|
|
"parameters": {}
|
|
},
|
|
"Web Inspektor": {
|
|
"description": "Parse the Web Inspektor.",
|
|
"module": "intelmq.bots.parsers.webinspektor.parser",
|
|
"parameters": {}
|
|
},
|
|
"ZoneH": {
|
|
"description": "Parse the ZoneH CSV feed.",
|
|
"module": "intelmq.bots.parsers.zoneh.parser",
|
|
"parameters": {}
|
|
}
|
|
},
|
|
"Expert": {
|
|
"ASN Lookup": {
|
|
"description": "Add ASN and netmask information from a local BGP dump.",
|
|
"module": "intelmq.bots.experts.asn_lookup.expert",
|
|
"parameters": {
|
|
"database": "/opt/intelmq/var/lib/bots/asn_lookup/ipasn.dat"
|
|
}
|
|
},
|
|
"Abusix": {
|
|
"description": "Add abuse contact information from the Abusix online service for source and destination IP address.",
|
|
"module": "intelmq.bots.experts.abusix.expert",
|
|
"parameters": {
|
|
"redis_cache_db": "5",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": "6379",
|
|
"redis_cache_ttl": "86400"
|
|
}
|
|
},
|
|
"CSV Converter": {
|
|
"description": "Convert data to CSV.",
|
|
"module": "intelmq.bots.experts.csv_converter.expert",
|
|
"parameters": {
|
|
"delimiter": ",",
|
|
"fieldnames": "time.source,classification.type,source.ip"
|
|
}
|
|
},
|
|
"Cymru Whois": {
|
|
"description": "Add ASN, netmask, AS name, country, registry and allocation time from the Cymru Whois DNS service.",
|
|
"module": "intelmq.bots.experts.cymru_whois.expert",
|
|
"parameters": {
|
|
"overwrite": false,
|
|
"redis_cache_db": "5",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": "6379",
|
|
"redis_cache_ttl": "86400"
|
|
}
|
|
},
|
|
"DO-Portal": {
|
|
"description": "Retrieve abuse contact information for the source IP address from a do-portal instance.",
|
|
"module": "intelmq.bots.experts.do_portal.expert",
|
|
"parameters": {
|
|
"mode": "append",
|
|
"portal_api_key": "<INSERT KEY>",
|
|
"portal_url": "<INSERT URL HERE>"
|
|
}
|
|
},
|
|
"Deduplicator": {
|
|
"description": "Detection and drop exact duplicate messages. Message hashes are cached in the Redis database.",
|
|
"module": "intelmq.bots.experts.deduplicator.expert",
|
|
"parameters": {
|
|
"filter_keys": "raw,time.observation",
|
|
"filter_type": "blacklist",
|
|
"redis_cache_db": "6",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": "6379",
|
|
"redis_cache_ttl": "86400"
|
|
}
|
|
},
|
|
"Domain Suffix": {
|
|
"description": "Extract the domain suffix from a domain and save it in the the domain_suffix field. Requires a local file with valid domain suffixes.",
|
|
"module": "intelmq.bots.experts.domain_suffix.expert",
|
|
"parameters": {
|
|
"field": "fqdn",
|
|
"suffix_file": "<path of suffix file>"
|
|
}
|
|
},
|
|
"Field Reducer": {
|
|
"description": "Remove fields from events.",
|
|
"module": "intelmq.bots.experts.field_reducer.expert",
|
|
"parameters": {
|
|
"keys": "<list of field names>",
|
|
"type": "<whitelist/blacklist>"
|
|
}
|
|
},
|
|
"Filter": {
|
|
"description": "Filter events, supports named paths for splitting the message flow.",
|
|
"module": "intelmq.bots.experts.filter.expert",
|
|
"parameters": {
|
|
"filter_action": "<keep/drop>",
|
|
"filter_key": "<source.geolocation.cc>",
|
|
"filter_regex": "",
|
|
"filter_value": "<PT>"
|
|
}
|
|
},
|
|
"Format Field": {
|
|
"description": "Perform string method operations on column values.",
|
|
"module": "intelmq.bots.experts.format_field.expert",
|
|
"parameters": {
|
|
"new_value": "",
|
|
"old_value": "",
|
|
"replace_column": "",
|
|
"replace_count": 1,
|
|
"split_column": "",
|
|
"split_separator": ",",
|
|
"strip_chars": " ",
|
|
"strip_columns": "malware.name"
|
|
}
|
|
},
|
|
"Generic DB Lookup": {
|
|
"description": "Fetche data from a database.",
|
|
"module": "intelmq.bots.experts.generic_db_lookup.expert",
|
|
"parameters": {
|
|
"database": "intelmq",
|
|
"engine": "<postgresql OR sqlite>",
|
|
"host": "localhost",
|
|
"match_fields": {
|
|
"source.asn": "asn"
|
|
},
|
|
"overwrite": false,
|
|
"password": "<password>",
|
|
"port": "5432",
|
|
"replace_fields": {
|
|
"contact": "source.abuse_contact",
|
|
"note": "comment"
|
|
},
|
|
"sslmode": "require",
|
|
"table": "contacts",
|
|
"user": "intelmq"
|
|
}
|
|
},
|
|
"Geohash": {
|
|
"description": "Compute the geohash from longitude/latitude information, save it to extra.(source|destination).",
|
|
"module": "intelmq.bots.experts.geohash.expert",
|
|
"parameters": {
|
|
"overwrite": false,
|
|
"precision": 7
|
|
}
|
|
},
|
|
"Gethostbyname": {
|
|
"description": "Resolve the IP address for the FQDN.",
|
|
"module": "intelmq.bots.experts.gethostbyname.expert",
|
|
"parameters": {
|
|
"fallback_to_url": true,
|
|
"gaierrors_to_ignore": null,
|
|
"overwrite": false
|
|
}
|
|
},
|
|
"IDEA Converter": {
|
|
"description": "Convert events into the IDEA format.",
|
|
"module": "intelmq.bots.experts.idea.expert",
|
|
"parameters": {
|
|
"test_mode": false
|
|
}
|
|
},
|
|
"MISP": {
|
|
"description": "Looking up the IP address in MISP instance and retrieve attribute and event UUIDs.",
|
|
"module": "intelmq.bots.experts.misp.expert",
|
|
"parameters": {
|
|
"misp_key": "<insert MISP Authkey>",
|
|
"misp_url": "<insert url of MISP server (with trailing '/')>"
|
|
}
|
|
},
|
|
"MaxMind GeoIP": {
|
|
"description": "Add geolocation information from a local MaxMind database to events (country, city, longitude, latitude).",
|
|
"module": "intelmq.bots.experts.maxmind_geoip.expert",
|
|
"parameters": {
|
|
"database": "/opt/intelmq/var/lib/bots/maxmind_geoip/GeoLite2-City.mmdb",
|
|
"license_key": "<insert Maxmind license key>",
|
|
"overwrite": false,
|
|
"use_registered": false
|
|
}
|
|
},
|
|
"McAfee Active Response Lookup": {
|
|
"description": "Query connections to IP addresses to the given destination within the local environment using McAfee Active Response queries.",
|
|
"module": "intelmq.bots.experts.mcafee.expert_mar",
|
|
"parameters": {
|
|
"dxl_config_file": "<insert /path/to/dxlclient.config>",
|
|
"lookup_type": "<Hash|DestSocket|DestIP|DestFQDN>"
|
|
}
|
|
},
|
|
"Modify": {
|
|
"description": "Perform arbitrary changes to event's fields based on regular-expression-based rules on different values. See the bot's documentation for some examples.",
|
|
"module": "intelmq.bots.experts.modify.expert",
|
|
"parameters": {
|
|
"case_sensitive": true,
|
|
"configuration_path": "/opt/intelmq/var/lib/bots/modify/modify.conf",
|
|
"maximum_matches": null,
|
|
"overwrite": false
|
|
}
|
|
},
|
|
"National CERT by CERT.at": {
|
|
"description": "Add country and abuse contact information from the CERT.at national CERT Contact Database. Set filter to true if you want to filter out events for Austria. Set overwrite_cc to true if you want to overwrite an existing country code value.",
|
|
"module": "intelmq.bots.experts.national_cert_contact_certat.expert",
|
|
"parameters": {
|
|
"filter": false,
|
|
"http_verify_cert": true,
|
|
"overwrite_cc": false
|
|
}
|
|
},
|
|
"RFC 1918": {
|
|
"description": "Removes fields or discard events if an IP address or domain is invalid as defined in standards like RFC 1918 (invalid, local, reserved, documentation). IP address, FQDN and URL fields are supported.",
|
|
"module": "intelmq.bots.experts.rfc1918.expert",
|
|
"parameters": {
|
|
"fields": "destination.ip,source.ip,source.url",
|
|
"policy": "del,drop,drop"
|
|
}
|
|
},
|
|
"RIPE": {
|
|
"description": "Fetch abuse contact and/or geolocation information for the source and/or destination IP addresses and/or ASNs of the events.",
|
|
"module": "intelmq.bots.experts.ripe.expert",
|
|
"parameters": {
|
|
"mode": "append",
|
|
"query_ripe_db_asn": true,
|
|
"query_ripe_db_ip": true,
|
|
"query_ripe_stat_asn": true,
|
|
"query_ripe_stat_geolocation": true,
|
|
"query_ripe_stat_ip": true,
|
|
"redis_cache_db": "10",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": "6379",
|
|
"redis_cache_ttl": "86400"
|
|
}
|
|
},
|
|
"RecordedFuture IPRisk": {
|
|
"description": "Adds the Risk Score from RecordedFuture IPRisk associated with source.ip or destination.ip with a local database.",
|
|
"module": "intelmq.bots.experts.recordedfuture_iprisk.expert",
|
|
"parameters": {
|
|
"api_token": "<insert Recorded Future IPRisk API token>",
|
|
"database": "/opt/intelmq/var/lib/bots/recordedfuture_iprisk/rfiprisk.dat",
|
|
"overwrite": false
|
|
}
|
|
},
|
|
"Reverse DNS": {
|
|
"description": "Get the correspondent domain name for source and destination IP address.",
|
|
"module": "intelmq.bots.experts.reverse_dns.expert",
|
|
"parameters": {
|
|
"cache_ttl_invalid_response": "60",
|
|
"overwrite": false,
|
|
"redis_cache_db": "7",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": "6379",
|
|
"redis_cache_ttl": "86400"
|
|
}
|
|
},
|
|
"Sieve": {
|
|
"description": "Filter and modify events based on a sieve-based language.",
|
|
"module": "intelmq.bots.experts.sieve.expert",
|
|
"parameters": {
|
|
"file": "/opt/intelmq/var/lib/bots/sieve/filter.sieve"
|
|
}
|
|
},
|
|
"Splunk saved search": {
|
|
"description": "Enrich an event from Splunk search results.",
|
|
"module": "intelmq.bots.experts.splunk_saved_search.expert",
|
|
"parameters": {
|
|
"auth_token": "VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wIG92ZXIgdGhlIGxhenkgZG9nLgo=",
|
|
"multiple_result_handling": [
|
|
"warn",
|
|
"use_first",
|
|
"send"
|
|
],
|
|
"not_found": [
|
|
"warn",
|
|
"send"
|
|
],
|
|
"overwrite": null,
|
|
"result_fields": {
|
|
"result field": "event field"
|
|
},
|
|
"retry_interval": 5,
|
|
"saved_search": "search_name",
|
|
"search_parameters": {
|
|
"event field": "search parameter"
|
|
},
|
|
"url": "https://splunk:8089/"
|
|
}
|
|
},
|
|
"Taxonomy": {
|
|
"description": "Apply the eCSIRT Taxonomy to all events.",
|
|
"module": "intelmq.bots.experts.taxonomy.expert",
|
|
"parameters": {}
|
|
},
|
|
"Threshold": {
|
|
"description": "Check if the number of similar messages during a specified time interval exceeds a set value.",
|
|
"module": "intelmq.bots.experts.threshold.expert",
|
|
"parameters": {
|
|
"add_keys": {
|
|
"comment": "Threshold reached"
|
|
},
|
|
"filter_keys": "raw,time.observation",
|
|
"filter_type": "blacklist",
|
|
"redis_cache_db": "11",
|
|
"redis_cache_host": "127.0.0.1",
|
|
"redis_cache_password": null,
|
|
"redis_cache_port": "6379",
|
|
"threshold": 100,
|
|
"timeout": 3600
|
|
}
|
|
},
|
|
"Tor Nodes": {
|
|
"description": "Check if the IP address is a Tor Exit Node based on a local database of TOR nodes.",
|
|
"module": "intelmq.bots.experts.tor_nodes.expert",
|
|
"parameters": {
|
|
"database": "/opt/intelmq/var/lib/bots/tor_nodes/tor_nodes.dat",
|
|
"overwrite": false
|
|
}
|
|
},
|
|
"Wait": {
|
|
"description": "Wait for a some time or until a queue size is lower than a given number.",
|
|
"module": "intelmq.bots.experts.wait.expert",
|
|
"parameters": {
|
|
"queue_db": 2,
|
|
"queue_host": "localhost",
|
|
"queue_name": null,
|
|
"queue_polling_interval": 0.05,
|
|
"queue_port": 6379,
|
|
"queue_size": 0,
|
|
"sleep_time": null
|
|
}
|
|
},
|
|
"url2fqdn": {
|
|
"description": "Parse the FQDN from the URL.",
|
|
"module": "intelmq.bots.experts.url2fqdn.expert",
|
|
"parameters": {
|
|
"overwrite": false
|
|
}
|
|
}
|
|
},
|
|
"Output": {
|
|
"AMQP Topic": {
|
|
"description": "Send events to an AMQP topic exchange. Requires the pika python library.",
|
|
"module": "intelmq.bots.outputs.amqptopic.output",
|
|
"parameters": {
|
|
"connection_attempts": 3,
|
|
"connection_heartbeat": 3600,
|
|
"connection_host": "127.0.0.1",
|
|
"connection_port": 5672,
|
|
"connection_vhost": "<your virtual host>",
|
|
"content_type": "application/json",
|
|
"delivery_mode": 2,
|
|
"exchange_durable": true,
|
|
"exchange_name": "<your exchange name>",
|
|
"exchange_type": "topic",
|
|
"keep_raw_field": false,
|
|
"message_hierarchical_output": false,
|
|
"message_jsondict_as_string": false,
|
|
"message_with_type": false,
|
|
"password": "<your amqp password>",
|
|
"require_confirmation": true,
|
|
"routing_key": "<your routing key>",
|
|
"single_key": false,
|
|
"use_ssl": false,
|
|
"username": "<your amqp username>"
|
|
}
|
|
},
|
|
"Blackhole": {
|
|
"description": "Discard messages.",
|
|
"module": "intelmq.bots.outputs.blackhole.output",
|
|
"parameters": {}
|
|
},
|
|
"Elasticsearch": {
|
|
"description": "Send events to an Elasticsearch database server.",
|
|
"module": "intelmq.bots.outputs.elasticsearch.output",
|
|
"parameters": {
|
|
"elastic_host": "127.0.0.1",
|
|
"elastic_index": "intelmq",
|
|
"elastic_port": 9200,
|
|
"flatten_fields": "extra",
|
|
"http_password": null,
|
|
"http_username": null,
|
|
"http_verify_cert": false,
|
|
"replacement_char": null,
|
|
"rotate_index": "never",
|
|
"ssl_ca_certificate": null,
|
|
"ssl_show_warnings": true,
|
|
"use_ssl": false
|
|
}
|
|
},
|
|
"File": {
|
|
"description": "Write events to a file.",
|
|
"module": "intelmq.bots.outputs.file.output",
|
|
"parameters": {
|
|
"encoding_errors_mode": "strict",
|
|
"file": "/opt/intelmq/var/lib/bots/file-output/events.txt",
|
|
"format_filename": false,
|
|
"hierarchical_output": false,
|
|
"keep_raw_field": false,
|
|
"message_jsondict_as_string": false,
|
|
"message_with_type": false,
|
|
"single_key": false
|
|
}
|
|
},
|
|
"Files": {
|
|
"description": "Write events lockfree into separate files.",
|
|
"module": "intelmq.bots.outputs.files.output",
|
|
"parameters": {
|
|
"dir": "/opt/intelmq/var/lib/bots/files-output/incoming",
|
|
"hierarchical_output": false,
|
|
"keep_raw_field": false,
|
|
"message_jsondict_as_string": false,
|
|
"message_with_type": false,
|
|
"single_key": false,
|
|
"suffix": ".json",
|
|
"tmp": "/opt/intelmq/var/lib/bots/files-output/tmp"
|
|
}
|
|
},
|
|
"MISP API": {
|
|
"description": "Insert events into a MISP instance.",
|
|
"module": "intelmq.bots.outputs.misp.output_api",
|
|
"parameters": {
|
|
"add_feed_name_as_tag": true,
|
|
"add_feed_provider_as_tag": true,
|
|
"misp_additional_correlation_fields": [],
|
|
"misp_additional_tags": [],
|
|
"misp_key": "<insert MISP Authkey>",
|
|
"misp_publish": false,
|
|
"misp_tag_for_bot": "<insert MISP tag to mark inserted events>",
|
|
"misp_to_ids_fields": [],
|
|
"misp_url": "<insert url of MISP server (with trailing '/')>",
|
|
"significant_fields": "<insert list of significant fields>"
|
|
}
|
|
},
|
|
"MISP Feed": {
|
|
"description": "Generate an output in the MISP Feed format.",
|
|
"module": "intelmq.bots.outputs.misp.output_feed",
|
|
"parameters": {
|
|
"interval_event": "1 hour",
|
|
"misp_org_name": "<org name creating the events>",
|
|
"misp_org_uuid": "<org uuid creating the events>",
|
|
"output_dir": "/opt/intelmq/var/lib/bots/mispfeed-output"
|
|
}
|
|
},
|
|
"McAfee ESM": {
|
|
"description": "Write events to the McAfee Enterprise Security Manager (ESM).",
|
|
"module": "intelmq.bots.outputs.mcafee.output_esm_ip",
|
|
"parameters": {
|
|
"esm_ip": "1.2.3.4",
|
|
"esm_password": "<Password>",
|
|
"esm_user": "NGCP",
|
|
"esm_watchlist": "<watchlist name>",
|
|
"field": "source.ip"
|
|
}
|
|
},
|
|
"MongoDB": {
|
|
"description": "Send events to a MongoDB database.",
|
|
"module": "intelmq.bots.outputs.mongodb.output",
|
|
"parameters": {
|
|
"collection": "<collection>",
|
|
"database": "<database>",
|
|
"db_pass": null,
|
|
"db_user": null,
|
|
"hierarchical_output": true,
|
|
"host": "localhost",
|
|
"port": "27017",
|
|
"replacement_char": "_"
|
|
}
|
|
},
|
|
"REST API": {
|
|
"description": "Send events to a REST API listener through HTTP POST.",
|
|
"module": "intelmq.bots.outputs.restapi.output",
|
|
"parameters": {
|
|
"auth_token": "<token>",
|
|
"auth_token_name": "<token name>",
|
|
"auth_type": "<http_basic_auth/http_header>",
|
|
"hierarchical_output": false,
|
|
"host": "<host>",
|
|
"ssl_client_certificate": null,
|
|
"use_json": true
|
|
}
|
|
},
|
|
"Redis": {
|
|
"description": "Send events to a Redis database.",
|
|
"module": "intelmq.bots.outputs.redis.output",
|
|
"parameters": {
|
|
"hierarchical_output": false,
|
|
"redis_db": 2,
|
|
"redis_password": "<password>",
|
|
"redis_queue": "external-redis-queue",
|
|
"redis_server_ip": "127.0.0.1",
|
|
"redis_server_port": 6379,
|
|
"redis_timeout": 50000,
|
|
"with_type": true
|
|
}
|
|
},
|
|
"Request Tracker": {
|
|
"description": "Request Tracker ticket creation bot. Create linked Investigation queue ticket if needed, according to the RTIR flow",
|
|
"module": "intelmq.bots.outputs.rt.output",
|
|
"parameters": {
|
|
"CF_mapping": {
|
|
"classification.taxonomy": "Classification",
|
|
"classification.type": "Incident Type",
|
|
"event_description.text": "Description",
|
|
"extra.incident.importance": "Importance",
|
|
"extra.incident.severity": "Incident Severity",
|
|
"extra.organization.name": "Customer",
|
|
"source.ip": "IP"
|
|
},
|
|
"create_investigation": false,
|
|
"description_attr": "event_description.text",
|
|
"final_status": "resolved",
|
|
"investigation_fields": "time.source,time.observation,source.ip,source.port,source.fqdn,source.url,classification.taxonomy,classification.type,classification.identifier,event_description.url,event_description.text,malware.name,protocol.application,protocol.transport",
|
|
"queue": "Incidents",
|
|
"rt_password": "<password>",
|
|
"rt_uri": "http://localhost/REST/1.0",
|
|
"rt_user": "apiuser",
|
|
"verify_cert": true
|
|
}
|
|
},
|
|
"SMTP": {
|
|
"description": "Send single events as CSV attachment in dynamically formatted e-mails via SMTP.",
|
|
"module": "intelmq.bots.outputs.smtp.output",
|
|
"parameters": {
|
|
"fieldnames": "classification.taxonomy,classification.type,classification.identifier,source.ip,source.asn,source.port",
|
|
"mail_from": "cert@localhost",
|
|
"mail_to": "{ev[source.abuse_contact]}",
|
|
"smtp_host": "localhost",
|
|
"smtp_password": null,
|
|
"smtp_port": null,
|
|
"smtp_username": null,
|
|
"ssl": false,
|
|
"starttls": true,
|
|
"subject": "Incident in your AS {ev[source.asn]}",
|
|
"text": "Dear network owner,\\n\\nWe have been informed that the following device might have security problems.\\n\\nYour localhost CERT"
|
|
}
|
|
},
|
|
"SQL": {
|
|
"description": "Send events to a PostgreSQL or SQLite database.",
|
|
"module": "intelmq.bots.outputs.sql.output",
|
|
"parameters": {
|
|
"autocommit": true,
|
|
"database": "intelmq-events",
|
|
"engine": "<postgresql OR sqlite>",
|
|
"host": "localhost",
|
|
"jsondict_as_string": true,
|
|
"password": "<password>",
|
|
"port": "5432",
|
|
"sslmode": "require",
|
|
"table": "events",
|
|
"user": "intelmq"
|
|
}
|
|
},
|
|
"Stomp": {
|
|
"description": "Send events to a STMOP server.",
|
|
"module": "intelmq.bots.outputs.stomp.output",
|
|
"parameters": {
|
|
"exchange": "/exchange/_push",
|
|
"heartbeat": 60000,
|
|
"keep_raw_field": false,
|
|
"message_hierarchical_output": false,
|
|
"message_jsondict_as_string": false,
|
|
"message_with_type": false,
|
|
"port": 61614,
|
|
"server": "127.0.0.1",
|
|
"single_key": false,
|
|
"ssl_ca_certificate": "<insert path to CA file>",
|
|
"ssl_client_certificate": "<insert path to client cert file>",
|
|
"ssl_client_certificate_key": "<insert path to client cert key file>"
|
|
}
|
|
},
|
|
"TCP": {
|
|
"description": "Send events to a TCP server as Splunk, ElasticSearch or another IntelMQ etc.",
|
|
"module": "intelmq.bots.outputs.tcp.output",
|
|
"parameters": {
|
|
"counterpart_is_intelmq": true,
|
|
"hierarchical_output": false,
|
|
"ip": "<ip>",
|
|
"port": "<port>",
|
|
"separator": "<nothing or \\n or something else>"
|
|
}
|
|
},
|
|
"Touch": {
|
|
"description": "Touch a file for every event received.",
|
|
"module": "intelmq.bots.outputs.touch.output",
|
|
"parameters": {
|
|
"path": "<path to a file>"
|
|
}
|
|
},
|
|
"UDP": {
|
|
"description": "Send events to a UDP server, e.g. a syslog daemon.",
|
|
"module": "intelmq.bots.outputs.udp.output",
|
|
"parameters": {
|
|
"field_delimiter": "|",
|
|
"format": "<json/delimited> read README.md",
|
|
"header": "<header text>",
|
|
"keep_raw_field": false,
|
|
"udp_host": "localhost",
|
|
"udp_port": "<port>"
|
|
}
|
|
},
|
|
"XMPP": {
|
|
"description": "Send events to an XMPP server.",
|
|
"module": "intelmq.bots.outputs.xmpp.output",
|
|
"parameters": {
|
|
"ca_certs": "/etc/ssl/certs/ca-certificates.crt",
|
|
"hierarchical_output": false,
|
|
"use_muc": false,
|
|
"xmpp_password": "<xmpp password>",
|
|
"xmpp_room": null,
|
|
"xmpp_room_nick": null,
|
|
"xmpp_room_password": null,
|
|
"xmpp_server": "<xmpp server>",
|
|
"xmpp_to_server": "<destination server>",
|
|
"xmpp_to_user": "<destination username>",
|
|
"xmpp_user": "<xmpp username>"
|
|
}
|
|
}
|
|
}
|
|
}
|