We talk with participants in the STINGAR project a lot about using feeds in protection devices via the chn-intel-feeds container, but our partners don’t have to limit themselves to the time-limited feeds; ad-hoc queries are also supported both via the CLI cifsdk client, as well as via a Chrome browser plugin! In this post, I’ll walk through the simple process for setting up the Chrome plugin and configuring it to query the STINGAR CIFv3 backend.
You can install the Chrome plugin via the Chrome Store at this URL:
Once you’ve installed the plugin, you should have a new icon on your toolbar:
Click the plugin icon, then click the “hamburger” to expose the settings link.
Once you’re in the settings, fill out a name of your choice, and then fill in the information you were given when joining the STINGAR project:
API Location : Fill in your “Production CIF URL”
Token: Fill in your “Read Token”
Groups: Fill in “everybody” and your partner ID, comma separated. I.e.: “everybody,partner1”
Provider: Your partner ID (“partner1”, etc)
Ensure the “Default Server” option is selected, and uncheck the “Log Queries” option.
Click the “Save” button and you’re all set! Your read key cannot submit data to the server, nor do we encourage using your write key for submitting via the plugin.
From here you can search for observables and see quick results across all time for any reports in the STINGAR CIFv3 backend. This data can help confirm suspicious activity, or identify IP’s that could be excluded based on their presence on a safelist.
The plugin works great for quick searches while reviewing reports, surfing the web, reading Twitter, etc., however for use cases that involved hundreds of indicators (or more!) users should consider using the CIFsdk CLI interface. For users of the awesome TheHive and associated Cortex, you may find this repo useful, enabling STINGAR lookups as an analyzer.