This script grabs the sinkhole_*.txt files from the Maltrail GitHub page and creates a single csv used to import into RSA NetWitness as a recurring feed. This will allow you to detect ip communication to known sinkholes in the ioc metakey.
From there you can choose to alert on that metakey if required.
script is designed to run from SA server, you can crontab it to grab the latest information on a schedule (then create the recurring schedule to load new versions into RSA NW)
Included a report pack as well as the new 10.6.3 cleartext output for the report engine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.