I have a customer that is asking if we ingest thier ThreatConnect feed into MM, could a custom processor / output node be built that sends
destination IP address,port
and then they would like this PUSHED from the output node to another system for ingestion ?
I've seen the standard IPv4 processor and output parameters, but didn't see any parameters for including a port with an IP address. Also everything I've seen for output has been pull method, can we push as well ? I'm wondering if additional code to the processor or output node can be done to achieve this ?
That would be the responsibility of the output node. There are some output nodes that push indicators, like DagPusher or logstash output node (or CEF).
I don't know if TC Miner pulls also ports, @xhoms knows all about it. If ports are pulled and placed in an indicator attribute the output node could retrieve them and push along the IP to the external API.
BTW, which external API is your customer interested in?
current ThreatConnect miner does not extract port information from IPv4 indicators. That means that, to satisfy this use case:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!