Analyze Lookup IOCs in Different Tools

Looks up submitted IOCs (Indicators of Compromise) in different applications and services, including AbuseIPDB, Hunter.io, VirusTotal, etc., and then returns selected results.

Requirements

Docker daemon must be installed and running. Please see Install Docker Engine for more information.

Installation

Download and install Flowpipe (https://flowpipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install flowpipe

Clone:

git clone https://github.com/turbot/flowpipe-samples.git
cd security/lookup_iocs

Install mod dependencies:

flowpipe mod install

Connections

By default, the following environment variables will be used for authentication:

ABUSEIPDB_API_KEY
VTCLI_APIKEY
URLSCAN_API_KEY
IP2LOCATIONIO_API_KEY

You can also create connection resources in configuration files:

vi ~/.flowpipe/config/connections.fpc

connection "abuseipdb" "abuseipdb_api_key" {
  api_key = "bfc6f1c42dsfsdfdxxxx26977977b2xxxsfsdda98f313c3d389126de0d"
}

connection "virustotal" "my_virustotal" {
  api_key = "AG.U7..."
}

connection "urlscan" "my_urlscan" {
  api_key = "AKIA...2"
}

connection "ip2locationio" "my_ip2locationio" {
  token = "00B630jSCGU4jV4o5Yh4KQMAdqizwE2OgVcS7N9UHb"
}

For more information on connections in Flowpipe, please see Managing Connections.

Usage

Run the pipeline to lookup IOCs in different tools

flowpipe pipeline run lookup_iocs --arg 'iocs=[{"id" : "1","type" : "ip","value" : "192.168.1.10"},{"id" : "2","type" : "domain","value" : "malicious-domain.com"}]'`

Configuration

To avoid entering variable values when running the pipeline or starting the server, you can set variable values:

cp flowpipe.fpvars.example flowpipe.fpvars
vi flowpipe.fpvars

# Required
apivoid_api_key="Your_APIVoid_API_Key"
hunter_api_key="Your_Hunter_API_Key"
kickbox_api_key="Your_Kickbox_API_Key"
hybrid_analysis_api_key="Your_Hybrid_Analysis_API_Key"