Automated Threat Hunting using InsightConnect

Good day!

We’d like to develop some threat hunting capabilities in our SOC using InsightConnect as well as InsightIDR. For starters, my plan was to develop a workflow that performs IOC hunting based on known bad hashes / urls / domains or ips in a scheduled way (daily or weekly). My first idea was to develop a workflow that pulls IOCs from one of our Community Threats in order to perform specific queries against the log search (ex: searching malicious domain in DNS logs). Alternatively, I could use a global artifact for storing IOCs, pulling them and searching for them.

I was wondering if someone else is doing the same stuff within ICON/IDR and can share some experiences? One of my concerns is probably the efficiency of the log search especially when it comes to searching for a larger time frame (7 days+).

Are you looking for events that occurred in the past, that is going to be a bit more involved. But if you are wanting to use the IOCs to alert on active events you can create a Threat Group that IDR will use to trigger alerts based on the information within that Threat Group.

Here is an example workflow using Threat Command to update IDR. Rapid7 Extensions

Here is an example of something I recently did. Depending on how you are getting the “Known bad” indicators in (threat feed or something along those lines), have them put in a Global Artifact to reference, separate one for each type. Then have a workflow that runs on a timer, connects to IDR and does a search for them, referencing the Global Artifact (Loop for each one). If found you can fire of an alert, and run further actions and remediations on them depending on the thresholds you set (rep score, etc…). Within this workflow I also connected to a firewall and ran actions to see if the IOC existed in the logs and performed further actions. There are several ways to get this accomplished but figured I would give you the starting point I used for the one I was playing with, along with the workflow that Michael referenced above. Side note, if a particular IOC was found multiple times, I fired off a war team channel in Slack to get everyone involved

Yeah, we do a bunch of that. In fact, it happens in real time if you add the IOCs to custom alerts or the Community Threats. You can automate you threat hunting completely by parsing out all the IOCs you want by using insight connect to pull the information from community MISP ( MISP Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing ( or threat feeds like this one: GitHub - CriticalPathSecurity/Zeek-Intelligence-Feeds: Zeek-Formatted Threat Intelligence Feeds.

In the instance where it’s something just affecting you and your environment, but not technically using malicious files, use the endpoint activity logs in InsightIDR to create custom alerts while searching for bad process hashes. For example, someone get their account compromised, the hacker gets inside your network and drops some files (Portable SSH client, SMTP server, npm package, anything really). You collect the hashes from those and setup the custom alert to search for the IOCs. You can make it do just about anything you want except take the place of a real EDR like CrowdStrike.

Here’s a threat hunting tip for you. If you don’t blacklist browser extensions (I highly recommended not letting users install any extensions) you can use process start events and monitor for known malicious chrome extensions by making a variable in InsightIDR and populating it with bad extension IDs from a git like this one: chrome-mal-ids/current-list-meta.csv at master · mallorybowes/chrome-mal-ids · GitHub It’s a little out of date but I’m sure there are newer ones out there. I don’t keep track since I started blocking all extensions.

It’ll pickup on process starts containing lines like this “chrome-extension://hehijbfgiekmjfkfjpbkbammjbdenadd/ --parent-window=0” and might help you detect some nasty stuff like chrome extensions that create reverse proxies, that hackers use to steal all the session data and impersonate any user who has valid tokens in the browser.

1 Like