[Bro] [bro] Extending intel.log
Hosom, Stephen M
hosom at battelle.org
Tue Apr 26 06:46:44 PDT 2016
The easiest thing to do at the moment is to place the url in the source field. There are some custom scripts that add custom fields to the intel.log, but if I remember right, in order to do that they replace parts of the intel framework, which would likely be prone to breaking without notice on version changes.
On 04/26/2016 09:31 AM, Tim Desrochers wrote:
Is there an easy way to extend the intel.log file to include the meta.url field. I ingest these logs into ELK and having the meta.url would be extremely helpful.
Right now when my logs print I get seen_indicator, seen_indicator_type, seen_node, seen_where, and sources, but I’d like to have the meta URL come through and print in the log to make it easy for an analyst to find the source documentation for the referenced intel alert.
Thanks
Tim
More information about the Bro
mailing list