Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Threat intel feeds in Security Analytics #672

Closed
eirsep opened this issue Oct 17, 2023 · 3 comments
Closed

Threat intel feeds in Security Analytics #672

eirsep opened this issue Oct 17, 2023 · 3 comments
Assignees
@eirsep
Labels
enhancement New feature or request

Comments

@eirsep
Copy link
Member

eirsep commented Oct 17, 2023
edited
Loading

Enrich Detectors With Feeds

Create/Update Detector flow

While creating Security Analytics detectors, customers will be able to choose threat feeds that they wish to enrich their detectors with.
Detector rules would be constructed from the latest version of the threat feeds to identify potential threats from the Indicators of Compromise(IoC’s) such as IP addresses, network hosts, domains, file hashes, email ids which apply to the chosen log types.

RFC: #671
@eirsep eirsep added enhancement New feature or request untriaged labels Oct 17, 2023
@eirsep
Copy link
Member Author

eirsep commented Oct 17, 2023
edited
Loading

  • Choose some publicly available threat feeds
  • Create system indices for storing IoCs parsed from threat intel feeds
  • Integrate Job scheduler to periodically update these feeds and on each update, update detectors with this data
  • Build doc level queries from threat intel IOCs present in threat intel system indices.
  • Handle create/update detector flows w.r.t. threat intel enabled/disabled
  • add threat_intel_enabled flag in detector payload. defaults to false in api

@eirsep eirsep self-assigned this Oct 17, 2023
@eirsep eirsep removed the untriaged label Oct 17, 2023
@eirsep eirsep changed the title [META] Threat intel feeds in Security Analytics Threat intel feeds in Security Analytics Oct 17, 2023
@eirsep eirsep mentioned this issue Oct 17, 2023
Merged
@xeniatup xeniatup mentioned this issue Oct 18, 2023
Closed
@tallyoh
Copy link

tallyoh commented Nov 18, 2023

@eirsep thank you very much for doing this work.

@engechas
Copy link
Collaborator

engechas commented Apr 9, 2024

Closing as completed by #669

@engechas engechas closed this as completed Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eirsep eirsep

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eirsep @tallyoh @engechas