Automating IOC Extraction with Obstracts by DOGESEC

By /

Listen to this Post

Obstracts by DOGESEC is a powerful tool designed to automatically extract Indicators of Compromise (IOCs) from threat intelligence reports. These IOCs can then be utilized for defensive measures in tools like SIEM (Security Information and Event Management) systems, such as Splunk ES lookups. This tool is a significant step forward in automating the process of threat intelligence analysis, making it easier for security teams to respond to threats more efficiently.

You Should Know:

To get started with Obstracts, you can use the following commands and codes:

1. Installation:

git clone https://github.com/dogesec/obstracts.git
cd obstracts
pip install -r requirements.txt

2. Running Obstracts:

python obstracts.py -i <path_to_threat_intel_report> -o <output_directory>

3. Using Extracted IOCs in Splunk:

  • First, ensure you have the Splunk SDK installed: 
    pip install splunk-sdk
  • Then, use the following Python script to upload IOCs to Splunk: 
    import splunklib.client as client</li>
</ul>

service = client.connect(host='localhost', port=8089, username='admin', password='yourpassword')
ioc_collection = service.kvstore["iocs"]

with open('extracted_iocs.csv', 'r') as file:
for line in file:
ioc_collection.data.insert(json.loads(line))

    4. Automating IOC Extraction with Cron:

    • Add a cron job to run Obstracts periodically: 
      crontab -e
    • Add the following line to run Obstracts every hour: 
      0 * * * * /usr/bin/python3 /path/to/obstracts.py -i /path/to/threat_intel_reports -o /path/to/output

    What Undercode Say:

    Obstracts by DOGESEC is a game-changer in the field of threat intelligence automation. By leveraging this tool, security teams can significantly reduce the time spent on manual IOC extraction and focus more on analyzing and responding to threats. The integration with tools like Splunk further enhances its utility, making it a must-have in any security analyst’s toolkit.

    Related Commands:

    • Linux: 
      grep -i "malware" /var/log/syslog
    • Windows: 
      Get-WinEvent -LogName Security | Where-Object { $_.Message -match "malware" }

    For more information, visit the Obstracts GitHub repository.

    References:

    Reported By: Joseehernandez Your – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    Whatsapp
    TelegramFeatured Image

Related Posts: