Flag matches with GreenSnow ThreatIntel
  • 1 Minute to read
  • Contributors
  • Dark
  • PDF

Flag matches with GreenSnow ThreatIntel

  • Dark
  • PDF

GreenSnow is a third party threat intel integration source available with DNIF in the form of an external dataset integration. It is possible to obtain a list of malicious IP addresses seen in many environments using GreenSnow.

GreenSnow Dataset Integration

An eventstore called greensnow is automatically scheduled and is displayed as shown below:


An enrichment bucket for the field $IP can be created to refer values from the greensnow eventstore.

Create a custom Enrichment Bucket

To be able to identify or flag any known malicious IP addresses in the log events, an enrichment bucket can be created which refers to data from an event store for GreenSnow ThreatIntel to flag these malicious IP addresses.

The yaml format is as follows:

bucket: IPv4
- SrcIP
- DstIP
- RemoteIP
- Domain
- System
schema-version: 1.0
- enr_key: '{IP}'
      IntelReference: IntelReference
      IntelURL: IntelURL
      ThreatType: Type
  eventstore: greensnow
  sourcetype: event_store

The enrichment bucket would identify the mailicious IP in the log events coming from different sources and point to a specific IP address in the $System field.

Field Description
Bucket Enter the name for the enrichment bucket.
Fields Enter the field names to be enriched.
schema-version Enter the schema version
Source List of sources for the enrichment bucket. Note: There can be multiple sources for one enrichment bucket
  • Source Type: Enter the source type i.e. dql/sql/eventstore
  • Eventstore: For this scenario, enter the eventstore name (greensnow).
  • Enr_key: Enter the desired values to be viewed in the output representation. For example, ‘{IP}’
  • Enr_values
      • Translate: Allows you to replace the column names of the query result. To replace enter : For example, ThreatType: Type In this case, the column name ThreatType is replaced with Type.
  • Save the enrichment bucket.

    Run a Search

    To check if enrichment has been added successfully, run a search on data to fetch enriched details. Enrichment will be applied to the field values mentioned in the enrichment bucket of yml file.


    In the above screen, $Stream, $IntelURL and $Type filed displays the details correlated to the IP Address in $System field.

    From the query result, you can click the Information icon to further drill down to each entity in the result and verify the enriched details.


    Was this article helpful?