Is there a way to add meta.url and meta.desc to intel.log?
In theory there is but you have to keep in mind that multiple meta data records might be associated with a single indicator that matched. This is also why the sources field in intel.log is a set. See the following blog post for more details: https://blog.zeek.org/2016/12/the-intelligence-framework-update.html
For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in
local.bro?
Scripts in base/ should be loaded by default. If you don't see hits on file names try to spot them in files.log first.
Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and
authentihash?
Will Intel::CERT_HASH detect MD5 or SHA256?
Will the intel frame detect part of part a URL or does only the full URL?
Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove
the "@" and add it to Intel::Domain?
I’m unable to to get any threat intel events. The specific feed file was added in local.bro and the policy was redeployed. The intel.log is not being generated.
Is there a verbose debugging or warning when the policy is deployed to check for errors?
What is the best way to test the threat intel framework and events?
If the syntax of the feed.txt is bad will it cause the no events in intel.log?
Will unicode characters (non-ASCII) in the feed.txt cause an error or break the threat intel framework?
Will multi-line values in the source, desc, or url cause the threat intel framework to not work?
Format of the Intel files is critical, there should be errors in the reporter.log on startup if there are any issues with the formatting of the file. Most important issue is tab separated fields in your Intel files, next being that you have all of the necessary fields.
One last weird question, is there a way to have threat intel events with a different source (or a different threat intel file altogether) write out to another log - like to the feed2.txt file would write to intel2.log?