Is there an easy way to extend the intel.log file to include the meta.url field. I ingest these logs into ELK and having the meta.url would be extremely helpful.
Right now when my logs print I get seen_indicator, seen_indicator_type, seen_node, seen_where, and sources, but I’d like to have the meta URL come through and print in the log to make it easy for an analyst to find the source documentation for the referenced intel alert.
Thanks
Tim
The easiest thing to do at the moment is to place the url in the source field. There are some custom scripts that add custom fields to the intel.log, but if I remember right, in order to do that they replace parts of the intel framework, which would likely be prone to breaking without notice on version changes.
I have some extensions for the intel framework here:
https://github.com/sethhall/intel-ext
Look at the tests to see how to use it:
https://github.com/sethhall/intel-ext/tree/master/testing/intel-ext
I'm hoping that some changes will be coming to the intel framework in the next release that should incorporate changes like these and more too.
.Seth
Thanks Seth