I’ve created a script that uses Justin Azoff’s bro-pdns-go-rewrite script to search the passive DNS database for IOC hits from a text file hosted on a webserver; we’re using CRITS. You can cron both scripts, but I can’t figure out how to get it to send one email alert per run of the script, so don’t set it to every 5 minutes. You may need to touch some of the csvs if it complains they aren’t there. You’ll need to enter the full path name on the sortuniqe.sh script also.
I can’t find Justin’s Github for the go-rewrite, so maybe he can chime in with those details.
https://github.com/obdnanr/bro-pdns-ioc-search-alert
Thanks