Threat intelligence is one of the most critical weapons we can use in cyber defense. We constantly collect data about new observables, current threats, attackers and their Tactics, Techniques, and Procedures (TTPs). In LIFARS, we use this data for perceiving the risks of the foremost common and severe external threats, as well as for enhancing our services such as incident response, threat hunting, forensics and malware analysis. In this article, we would like to introduce the new Logchecker tool developed by LIFARS.
Example of Observable search
We can search for given observables and quickly link them to another related observables. Also, we can get more info about their context, timestamps and sources, we can perform additional analysis and use the outcome for better understanding the nature of the threats and to protect our clients.
Examination in YETI
Existing Solutions
There are several solutions that can be used as a Threat Intelligence repository or a platform for collecting intelligence feeds and analysis. One of the solutions is called YETI, Your Everyday Threat Intelligence, an open source, distributed, machine and analyst-friendly threat intelligence repository. Such a platform could be a great benefit for the incident response and other defensive services.
The Need for Automation
If you need to deal with large number of observables, it is not feasible the check all of them manually. Therefore, automation is the key. In LIFARS, we are aware of this fact, and we automate our processes whenever possible and desirable. For example, in many cases we need to identify suspicious artifacts such as IP addresses and domains in endpoint and network logs, or to detect malicious files and their origin.
Abovementioned tasks can be automated. Upon identifying the artifacts in the logs, we can check them against our collected Threat Intelligence observables and report any hit with additional context. For this task we can use the Logchecker.
Logchecker used for scanning the auth.log from Linux server
Introducing The Logchecker Tool
Logchecker is a new Windows and Linux tool for scanning log files, developed by LIFARS. It extracts IP addresses, domain names and hashes from input file and checks for them in Threat Intelligence database. It supports Windows EVTX logs, text-based logs or any plaintext files. Output can be in CSV format for better human readability or in JSON for computer processing.
Example of CSV output of Logchecker
Example of JSON output of Logchecker
Our Logchecker uses the YETI platform as a backend. Thus, it can benefit from all the YETI machinery, including many feeds and analytics plugins. We believe that cyber security is a shared responsibility and we appreciate the work of YETI developers and cybersec community. Therefore, we decided to publish our Logchecker tool under Open Source MIT License. Consider it as our contribution to the community, so all defenders can benefit from it.
Source codes and pre-built binaries for Windows and Linux are available at LIFARS GitHub:
https://github.com/Lifars/log-checker
