Threat Intelligence feed is a stream of data that poses potential risk or malicious activities to an organization's security. Resolution Intelligence Cloud supports threat feed feature that provides you information on attacks, including zero-day attacks, botnets, malware, and other security threats.
With threat feeds, you can create a list of curated threats related to malicious activity within an organization and push them to Chronicle to analyze and identify upcoming risk. Resolution Intelligence enables you to create a list curated threats which are helpful in implementing intelligence to a stream of security data.
Examples of threat feeds include IP addresses, malicious domains/URLs, Phishing URLs, malware hashes and more.
Configuring a Threat feed
User Permissions
A Creator from these categories such as Domain, Organization, and Tenant can create threat feeds.
To create a threat feed,
- Navigate to Configurations --> Chronicle CMS at the left nav-bar.
- Click Threat Feed icon.
- On the Threat Feed listing page, click +Add Threat Feed at the top right corner
- Enter Title, and Description (mandatory) for threat feed.
- In Feed Source Type, select any one of the following.
-
- Enter IOCs: Indicators of Compromise include IP adresses, Domains, and URLs
- Upload CSV: You can upload a CSV file to import multiple threat feeds from file
- Configure URL: A URL that needs to be monitored recurrently
Note: Based on your selection, below fields will vary.
Recommendations |
Actions |
|
If you choose Enter IOCs |
|
|
If you choose Upload CSV |
|
|
If you choose Configure URL |
|
If you choose CSV:
If you choose HTML Table:
Note: You can find Table attribute name, value, and index by inspecting webpage of your URL |
6. In Threat Feed listing page, click Actions --> Send for Review
Your threat feed will sent to be reviewed by Publisher
Publishing a Threat Feed
User Permissions
A Publisher from these categories such as Domain, Organization, and Tenant can publish threat feeds.
To publish a threat feed,
- Navigate to Configurations --> Chronicle CMS at the left nav-bar.
- Click the Threat Feed icon.
- In the Threat feed listing page, click on a threat feed which is Under Review State.
- Verify the mandatory fields and click Actions in the top right corner of the screen.
A drop-down list appear - From the dropdown list,
-
- Click Approve if the mandatory fields are appropriate. The threat feed will be moved to Reviewed state once it is approved.
- Before publishing a threat feed, ensure that you have selected list of organizations for which you want to publish your threat feed, if you are at Domain level otherwise it will be published to all organizations which comes under your domain likewise for tenants.
- Click Reject, if the mandatory fields are not appropriate. The threat feed will be sent back to the Creator for changes and moved to the Draft state.
Note: Publisher can publish a threat feed at organization, and tenant level. For example, if the publisher publishes a threat feed at organization level, then the changes in threat feed will be sent to tenant level.
Finding Threat Feeds
The free text search filters the threat feeds by text in the threat feed title. There is no Search button.
Sorting Threat Feeds
The threat feed page lists all threat feeds (Published, Under Review, and Draft) in the listing page after creating or publishing them. You can sort the threat feeds based on the following list of options.
Item |
Description |
Last Modified On |
Date and Time of last change to a threat feed |
Title |
Title of a threat feed that you have given while creating |
Name |
Name of a threat feed that is generated automatically after creating it |
Most Used |
Frequently used threat feed |
Created On |
Date and Time when a threat feed is created first time |
Feed Source Type |
A type of a source that your threat feed originated from |
Schedule Interval |
Intervals include Half-hourly, Hourly, Two-Hourly, Three-Hourly, Six-Hourly, Twice - Daily, Daily, Weekly, and Monthly |
To rearrange threat feeds in descending or ascending order, click or
.
Comments
0 comments
Please sign in to leave a comment.