Current ThreatQ Version Filter
 

Corelight Fleet Manager Portal Exports

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Export Details

ThreatQuotient provides the following details for this export:

Introduction

Use the steps provided in this guide to create a ThreatQ export for Corelight Fleet Manager Portal. 

Creating the Export

The following section will detail how to create a ThreatQ export for Corelight Fleet Manager.

  1. Select the Settings icon > Exports.

    The Exports page appears with a table listing all exports in alphabetical order.

  2. Click Add New Export

    The Connection Settings dialog box appears.

  3. Enter an Export Name.
  4. Click Next Step.

    The Output Format dialog box appears.

  5. Provide the following information:

    See the Output Format Options topic for more information on using logical operators in exports. If a specific score or ranges of scores is required, then the following should be added to the end of the special parameters configuration.

    Field Value
    Which type of information
    would you like to export?    		 Indicators
    Output Type Text/plain
    Filter by TLP Optional - select a TLP filter if needed.
    Special Parameters
    indicator.status=Active&indicator.deleted=N
    Output Format Template
    #fields{$tab}indicator{$tab}indicator_type{$tab}meta.source{$tab}meta.url
    {foreach $data as $indicator}
    {$indicator_type=""}
    {$source_found=0}
    {if $indicator.type eq "CIDR Block"}{$indicator_type="Intel::SUBNET"}{/if}
    {if $indicator.type eq "IP Address"}{$indicator_type="Intel::ADDR"}{/if}
    {if $indicator.type eq "URL"}{$indicator_type="Intel::URL"}{/if}
    {if $indicator.type eq "Email Address"}{$indicator_type="Intel::EMAIL"}{/if}
    {if $indicator.type eq "FQDN"}{$indicator_type="Intel::DOMAIN"}{/if}
    {if $indicator.type eq "MD5"}{$indicator_type="Intel::FILE_HASH"}{/if}
    {if $indicator.type eq "SHA-1"}{$indicator_type="Intel::FILE_HASH"}{/if}
    {if $indicator.type eq "SHA-256"}{$indicator_type="Intel::FILE_HASH"}{/if}
    {if $indicator.type eq "SHA-384"}{$indicator_type="Intel::FILE_HASH"}{/if}
    {if $indicator.type eq "SHA-512"}{$indicator_type="Intel::FILE_HASH"}{/if}
    {if $indicator.type eq "Filename"}{$indicator_type="Intel::FILE_HASH"}{/if}
    {if $indicator_type ne ""}
    {$indicator.value}{$tab}{$indicator_type}{$tab}{foreach $indicator.Sources item=source name=Sources}{if $smarty.foreach.Sources.first == true}
    {$source.value}{$source_found=1}{/if}{/foreach}{if $source_found == 0}-{/if}
    {$tab}https://{$http_host}/indicators/{$indicator.id}/details
    {/if}
    {/foreach}
  6. Click Save Settings.
  7. Under On/Off, toggle the switch to enable the export.

Corelight Fleet Configuration

Use the following steps to configure create a new Corelight Fleet policy for the ThreatQ export..  

  1. Log into the Corelight Fleet Manager UI.
  2. Navigate to Policies > Intel Policies and then click on New Intel Policy.
  3. Enter a name for the new policy and click on Save.
  4. Click on New Intel Source and provide the URL to the TQ Export.

Adding the ThreatQ Certificate 

In the event that you encounter an SSL certificate warning from CoreLight, you will need to add the ThreatQ certificate to Corelight's trusted store using the steps below.

  1. Confirm that you have a CA signed certificate.
  2. Navigate to the ca-certificates directory:
    cd /usr/local/share/ca-certificates

  3. Retrieve the entire ThreatQ certificate chain:
    openssl s_client -showcerts -verify 5 -connect <ThreatQ Host>:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}" ; done

  4. Convert the PEM file to CRT:
    openssl x509 -outform der -in <name_of_pem_file_from_step3>.pem -out <name_of_pem_file_from_step3>.crt

  5. Update the Corelight trust store:
    sudo update-ca-certificates

  6. Restart the Corelight Fleet Manager:
    sudo systemctl restart corelight-fleetd

  7. Confirm system status once the restart process has completed:
    sudo systemctl status corelight-fleetd

  8. Change the IP in the ThreatQ Export URL to ThreatQ hostname.  

Change Log

  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
Corelight Fleet Manager Portal Export Guide v1.0.0 N/A