This article defines the overview and procedures for creating, publishing, and managing threat feeds in the Resolution Intelligence Cloud.
A threat intelligence feed is a stream of data that poses potential risk or malicious activity to an organization's security. Resolution Intelligence Cloud supports a threat feed feature that provides you with information on attacks, including zero-day attacks, botnets, malware, and other security threats.
With threat feeds, you can create a list of curated threats related to malicious activity within an organization and push them to Chronicle to analyze and identify upcoming risks. Resolution Intelligence Cloud enables you to create a list of curated threats that are helpful in implementing intelligence into a stream of security data. Examples of threat feeds include IP addresses, malicious domains and URLs, phishing URLs, malware hashes, and more.
Configuring a Threat feed
User Permissions
The creator from these categories, such as Domain, Organization, and Tenant can create threat feeds.
To create a threat feed,
-
Do one of the following to access Configurations:
- Click the Configurations icon
at the top navigation bar.
- Click the hamburger menu
on the left and select CONFIGURATIONS.
- Click the Configurations icon
- Click Detection Policies, under Signals.
You will be redirected to Detection policies page. - Click Create New drop-down and select Threat Feed. The New Threat Feed page appears.
- Enter Title, and Description (mandatory) for threat feed.
- Check box left to the Enable Signal Generation.
You will be notified of a signal generated in the signals home page whenever the IOC matches the defined criteria in the threat feed. By default, the IOC rules such as ip, domain, URL, and hash static will be copied to the new users while onboarding. - In Feed Source Type, select any one of the following:
-
- Enter IOCs: Indicators of Compromise include IP addresses, Domains, and URLs.
- Upload CSV: You can upload a CSV file to import multiple threat feeds from the file.
- Configure URL: A URL that needs to be monitored recurrently.
Note: Based on your selection, the below fields will vary.
a). If you choose Enter IOCs:
-
- In IOC Type, select any of the following:
- Domain: includes domains that carry malicious threats.
- IP Address: includes IP addresses that carry malicious threats.
- URL: includes phishing URLs that carry malicious threats.
- Hash: includes the encrypted format of the malicious threats.
- In IOC Values, enter a value. For example, threat.com.
- Score (Optional): Determines the score of each threat type.
- Severity (Optional): Select any of the following.
- High
- Medium
- Low
- Category (Optional): Enter a category that a threat belongs to. For example, a phishing URL.
- From the Exclude (optional) drop-down, select the reference lists containing IP addresses, email addresses, URLs, and other items to exclude.
- Click Save.
Your threat feed will be saved as a draft in the listing page.
- In IOC Type, select any of the following:
b). If you choose Upload CSV:
-
- Click Download CSV file format. A template will be downloaded to your local system. Enter values under IOC Type, IOC Value, Score, Severity, Category, and Feed Source columns.
- Either drag and drop the file or click Browse file to upload the CSV file containing threat feeds from the local system.
- From the Exclude (optional) drop-down, select the reference lists containing IP addresses, email addresses, URLs, and other items to exclude.
- Click Save.
Your threat feed will be saved as a draft on the listing page.
c). If you choose Configure URL:
-
- In URL field, enter a URL that you would like to ingest threats from.
- In Authentication Type, select any of the following from the drop-down.
- No Authentication: No authentication credentials required.
- Basic Auth: Enter Username and Password.
- Bearer Token: Enter a Secret token.
- Access Service Token: Enter Header Key and Header value in the given fields. In the payload field, enter payload in the JSON format (Optional) to extract values.
- In Data Format, select IOC data in the URL from the drop-down.
i). If you choose CSV Data format:
a). In Feed Column Delimiter Type, select a delimiter to separate columns used in the CSV file from the drop-down.
-
-
-
-
- Comma(,)
- Space ()
- Semicolon (;)
- Colon (:)
- Vertical Pipe (|)
- Slash (/)
- Hash(#)
-
-
-
b). In Multi Value Delimiter in Feed Column, select a delimiter used in CSV to separate multiple values in the column from the drop-down.
-
-
-
-
- Vertical Pipe (|)
- Semicolon(;)
- Colon(:)
-
-
-
c). Click Load Columns.
The columns available in the CSV file will be previewed.
d). Under Define Columns, select the columns in the CSV file to map to the predefined columns in the list.
e). Select any of the following options next to the columns from the drop-down menu.
-
-
-
-
- Ignore
- Entity
- IOC Type
- Feedsource
- Category
- Score
- Severity
- Expiry date
- First Seen
- Last Seen
- threat_actor
- cve
- malware
- Campaign
-
-
-
f). Check box next to Extract Value.
A dialog box appears.
g). Check box left next to any of the following options.
-
-
- Custom Search - Only underscore and space are allowed in the string delimiter field to separate string content existing in the columns as tags.
- Advanced Regex - Enter a regex expression to search across a column in the CSV file that you specified. For example, {"category": "(?<=Domain used by )(.*)"}
-
h). Click Extract.
The words in the selected index will be extracted and stored in the columns of each row of the CSVs.
ii). If you choose HTML Table:
a). Click Load Tables.
The existing tabular data will be shown.
b). Checkbox next to your desired table.
c). Click Load Columns.
The existing columns will be shown.
d). Under Define Columns, select the data you want feed for existing columns for your selected table..
e). Select any of the following options next to the columns from the drop-down menu.
-
-
- Ignore
- Entity
- Category
- Score
- Severity
-
f). Check box next to Extract Value.
A dialog box appears.
g). Check box left next to any of the following options.
-
-
- Custom Search - Only underscore and spaces are allowed in the string delimiter field to separate string content existing in the columns as tags.
- Advanced Regex - Enter a regex expression to search across a column in the CSV file that you specified. For example, {"category": "(?<=Domain used by )(.*)"}
-
h). Click Extract.
The words in the selected index will be extracted and stored in the columns of each row of the CSVs.
iii). If you choose JSON:
a). Under API Integration, select any one from the following options.
-
-
- cURL based: Enter the request method as POST, client Id, client secret, content type, and url from which you would prefer to pull the data.
The sample request looks like:
curl --request POST \
--url https://know-to-cms.dummyops.net/post/data \
--header 'CF-Access-Client-Id: 8293e74d66gggggjjjkkkdddddaaass.access' \
--header 'CF-Access-Client-Secret: 3ffhhktkghk34465675878768586585883552423' \
--header 'Content-Type: application/json' \
--data '{
"ioc_type":"ip",
"historic_days":30
}
- cURL based: Enter the request method as POST, client Id, client secret, content type, and url from which you would prefer to pull the data.
-
-
-
- Form Based: Select the following options to pull the data (for example, IP) from the URL.
- In Request method field, select POST from the drop-down.
- In URL field, enter an appropriate URL from which you prefer to pull data.
- In Authentication Type, select Access Service Token from the drop-down menu.
- In Header Key, enter client-id, and in Header Value, enter a respective value.
- Click Add.
- In Header Key, enter client-secret, and in Header Value, enter a respective value.
- Click Add.
- In Header Key, enter Content-type and in Header value, enter application/json.
- In Payload, enter the JSON payload as specified below.
{
"ioc_type":"ip",
"historic_days":30
}
- Form Based: Select the following options to pull the data (for example, IP) from the URL.
-
b).Click Load.
The API data will be loaded.
c). Under Define Columns, select the data you want to feed for existing columns in your selected table.
d). Select any of the following options next to the columns from the drop-down menu.
-
-
-
-
- Ignore
- Entity
- Category
- Score
- Severity
-
-
-
i). Click Extract.
The words in the selected index will be extracted and stored in the columns.
4. In Score (Optional): Determines the score of each threat type.
5. In Severity (Optional): Select any option from the following:
-
-
-
- High
- Medium
- Low
-
-
6. In Category (Optional): Enter a category that a threat belongs to. For example, a phishing URL.
7. Under Schedule, In Schedule Interval, select any of the following intervals to monitor threats from a URL:
-
- Half-Hourly
- Hourly
- Two-Hourly
- Three-Hourly
- Six-Hourly
- Twice - Daily
- Daily
- Weekly
- Monthly
8. In Whitelists field, add one or more IPs and domain URLs in addition to exclude the feeds that originate from whitelisted IPs.
9. Click Done.
10. After you have fetched data, click Save.
Your threat feed will be saved as a draft in the listing page.
7. In the Threat Feed listing page, click Actions --> Send for Review
Your threat feed will sent to the Publisher for review.
Publishing a Threat Feed
User Permissions
The Publisher from these categories such as Domain, Organization, and Tenant can publish threat feeds.
To publish a threat feed,
-
Do one of the following to access Configurations:
- Click the Configurations icon
at the top navigation bar.
- Click the hamburger menu
on the left and select CONFIGURATIONS.
- Click the Configurations icon
- Click Detection Policies, under Signals.
You will be redirected to Detection policies page. - Click the Threat Feeds tab.
- In the Threat Feed Listing page, click on a threat feed that is Under Review State.
- Verify the mandatory fields and click Actions in the top right corner of the screen.
A drop-down list opens. - From the drop-down list,
-
- Click Approve if the mandatory fields are appropriate.
The threat feed will be moved to Reviewed state once it is approved. - Before publishing a threat feed, ensure that you have selected list of organizations for which you want to publish your threat feed, if you are at Domain level otherwise it will be published to all organizations that come under your domain, as well as tenants. When the threat feeds are published, the status changes to Publishing. Once the publishing process is complete, the status will update to Published.
- Click Reject, if the mandatory fields are not appropriate. The threat feed will be sent back to the Creator for changes and moved to the Draft state.
- Click Approve if the mandatory fields are appropriate.
Note: Publisher can publish a threat feed at organization, and tenant level. For example, if the publisher publishes a threat feed at organization level, then the changes in threat feed will be sent to tenant level.
Enabling or Disabling a Threat Feed
The Creator, Publisher, and Manager roles can enable or disable threat feeds.
Use the following procedure to enable or disable a threat feed. Only threat feeds in the published state can be disabled. If a threat feed is disabled at the parent level, it will also be disabled at all child levels. For example, if a threat feed is disabled at the domain level, it will be disabled for all organizations and tenants under that domain.
To disable a threat feed:
-
Access Configurations by doing one of the following:
- Click the Configurations icon in the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
- Click Detection Policies under Signals. This will redirect you to the Detection Policies page.
-
Click the Threat Feeds tab.
-
Click to open the threat feed in the published state. This will open the threat feed details.
-
Click Disable to disable the threat feed in Chronicle.
Once disabled, you can enable the threat feed at any time by clicking on the disabled threat feed from the listing page of threat feeds. This will open the threat feed details, where you will find the option to enable it again.
Editing a Threat Feed
User Permissions
The creator and publisher can update/edit a threat feed.
Note: Editing is applicable to published state only.
To edit/update a threat feed,
- Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
- Click Detection Policies, under Signals.
You will be redirected to Detection policies page. - Click the Threat Feeds tab.
- Click the threat feed you would like to edit.
- Click Actions --> Update at the top right corner of the screen.
- Edit your significant changes and click Send for review at the top right corner.
The threat feed will be moved to the Under review state.
Note: If the threat feed fails, you can update the threat feed details and send it for review (or) retry publishing the failed feed.
Finding Threat Feeds
The free text search filters the threat feeds by text in the threat feed title. There is no Search button.
Filtering Threat Feeds
The conditional filter allows you to filter the threat feeds based on the given search criteria. You can select the label, operator and value to filter the results. You can add as many filters as you want using the +Add filter option. The filters will let you fetch thread feeds by Title, Status, Feed Source Type, Severity, Created By and Last Modified By.
Sorting Threat Feeds
The threat feed page lists all threat feeds (Published, Under Review, and Draft) in the listing page after creating or publishing them. You can sort the threat feeds based on the following list of options:
Item | Description |
Last Modified On | Date and time at which the threat feed was last modified. |
Title | Name of a threat feed given while creating it. |
Most Used | Frequently used threat feed. |
Created On | Date and Time when a threat feed is created. |
Feed Source Type | A source from which a threat feed originates |
Schedule Interval | Intervals include Half-hourly, Hourly, Two-Hourly, Three-Hourly, Six-Hourly, Twice - Daily, Daily, Weekly, and Monthly. |
To rearrange threat feeds in descending or ascending order, click or
.
Comments
0 comments
Please sign in to leave a comment.