Hi all
Was looking to get a steer on how to approach this please.
The desired outcome is when an investigation is raised a note (artifact?) is added to the investigation containing any available osint (e.g. virustotal) for any of the indicators associated with the investigation.
The sources of these indicators I think are either in:
The alert output “key rules of interest” and
The underlying logs that caused the alert to fire.
My current thinking is a new alert triggers the work flow. From this alert I can see and extract indicators from the “key rules of interest” ok but it is the log stuff im not sure how to approach.
I’m letting workflows run and then going into the Jobs → View Full Job to look at the output from the trigger.
I can see the log_entry_ID but if I manually query it im not sure how to identify the log source.
I see in the log details array there is a “logset_id” entry but not sure how to use.
The thought process is I query the logs and then use extract to grab ips etc from there.
Appreciate any feedback if i’m on the right track or if im on the reservation so to speak.
If someone already has implemented this (or similar) and can share that would be appreciated.
Thanks in advance.
Bryan