{"id":19149537,"url":"https://github.com/alphasoc/graylog-alphasoc","last_synced_at":"2026-03-01T13:36:38.379Z","repository":{"id":52908868,"uuid":"126336945","full_name":"alphasoc/graylog-alphasoc","owner":"alphasoc","description":"A content pack to render AlphaSOC alerts within Graylog","archived":false,"fork":false,"pushed_at":"2021-04-14T09:53:12.000Z","size":560,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-23T12:51:24.377Z","etag":null,"topics":["graylog-content-pack","intrusion-detection","malware-analysis","monitoring","security"],"latest_commit_sha":null,"homepage":"https://alphasoc.com","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alphasoc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-03-22T13:09:42.000Z","updated_at":"2024-11-04T19:03:07.000Z","dependencies_parsed_at":"2022-08-23T18:40:17.067Z","dependency_job_id":null,"html_url":"https://github.com/alphasoc/graylog-alphasoc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/alphasoc/graylog-alphasoc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fgraylog-alphasoc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fgraylog-alphasoc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fgraylog-alphasoc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fgraylog-alphasoc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alphasoc","download_url":"https://codeload.github.com/alphasoc/graylog-alphasoc/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fgraylog-alphasoc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29970517,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T13:32:00.443Z","status":"ssl_error","status_checked_at":"2026-03-01T13:32:00.084Z","response_time":124,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["graylog-content-pack","intrusion-detection","malware-analysis","monitoring","security"],"created_at":"2024-11-09T08:08:35.126Z","updated_at":"2026-03-01T13:36:38.352Z","avatar_url":"https://github.com/alphasoc.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Network Behavior Analytics for Graylog\n\nThis content pack establishes a GELF input by which AlphaSOC alerts can be sent to Graylog by [Network Flight Recorder (NFR)](https://github.com/alphasoc/nfr), and a dashboard to summarize infected hosts and anomalies within the environment. NFR performs scoring of network traffic (DNS and IP events) which can be collected on the wire, or loaded via Bro IDS, Suricata, or other sources.\n\n## Screenshot\n\n![Threat Hunter](./dashboard-01.png)\n\n![Alert stream](./dashboard-02.png)\n\n## Provided Content\n\n* A TCP GELF input receive alerts from NFR (default port: 12201)\n* A stream that matches NFR events\n* A dashboard which summarizes the alerts and suspicious domains\n\n## Sending NFR Events to Graylog\n\nTo escalate AlphaSOC alerts from NFR via GELF you must define the Graylog server address within `config.yml` (under the `outputs:` section) as below. NFR scores network traffic via the AlphaSOC Analytics Engine and escalates alerts to Graylog.\n\n```\n# Graylog server URI where AlphaSOC alerts will be sent in GELF format\n# The Network Behavior Analytics for Graylog content pack establishes\n# an input on TCP port 12201, which can be used to plug-and-play here.\ngraylog:\n  # URI to the server (for example tcp://127.0.0.1:12201)\n  # Default: (none)\n  uri:\n  # Message level.\n  # Default: 1\n  level: 1\n```\n\n## AlphaSOC Alert Format\n\nThe alert format and fields within Graylog are described in the table below.\n\n| Field            | Description                                                              |\n|------------------|--------------------------------------------------------------------------|\n| `host`           | NFR engine generating the alert                                          |\n| `engine_agent`   | NFR engine version (e.g. `Alphasoc NFR/1.9.0`)                           |\n| `original_event` | Timestamp of the original network event (e.g. DNS request)               |\n| `src_ip`         | IP address of the client / endpoint generating the traffic               |\n| `dest_ip`        | IP address of a suspicious destination                                   |\n| `threat`         | Short threat label (e.g. c2_communication)                               |\n| `message`        | Long threat label (e.g. \"C2 communication attempt indicating infection\") |\n| `severity`       | Event severity (5: critical, 4: high, 3: medium, 2: low, 1: info)        |\n| `flags` | A list of [low-level flags](https://docs.alphasoc.com/ae/flags/) used within AE to generate alerts and categorize traffic |\n| `query`          | DNS request FQDN associated with the alert (e.g. badguy123.ru)           |\n| `record_type`    | DNS request record type associated with the alert (e.g. A, MX, SRV)      |\n\n## Contributors\n\n- Chris D'Amore at Yellow Dog Networks","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falphasoc%2Fgraylog-alphasoc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falphasoc%2Fgraylog-alphasoc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falphasoc%2Fgraylog-alphasoc/lists"}