We have successfully integrate threat intelligence plugins in our SIEM but Now we are unable to fetch integrated threat feed in $intelref field so we required enable this plugins we would like to request you please provide the process of enable threat intelligence plugins.
For enrichment feeds - the field $Intelref is only supposed to tell you the name of your threat intel plugin (like Kaspersky, VirusTotal,…etc), apart from this you would also have to check the following fields for following purposes:
- $Intel - If this value is “True” , it means there is something suspicious with this event. In order to check what is suspicious in this event - i.e., Source IP address, Destination IP address, Domain name, etc, for this you need to check the following field.
- $ViolationField - The value within this field mentions the name of the suspicious field name to look into.
And ofcourse - $Intelref tells you the name of the threat intel source that has flagged the required field.
Above scenarios can ofcourse happen if something is actually found suspicious, if nothing is found then either these fields won’t show in the DNIF Analytics Console or would have its value as blank.
Hope this helps!