I’m not sure if this is doubling up on datasets that R7 might already have, but I’m interested to know if there’s a method of utilizing additional threat feed sources such as AlienvaultOTX.
The example I’m thinking of, is looking for endpoints that might be talking out to ransomware domains.
e.g. https://otx.alienvault.com/pulse/5f7f03c910fdf26246339049
Perhaps there’s a better way to do this, that I’ve not yet discovered. Would be keen to learn how others do it.
Thanks in advance.
Hey @paul_deasy,
So, it really depends. Our research team will add some IOCs to IDR as they discover them, however often times our customers have either a paid list/tool (i.e. RecordedFuture) or they want to be really mindful of specific threats.
What you are looking yo do can pretty much be done using our API, using OTX IOCs.
https://docs.rapid7.com/insightidr/insightidr-rest-api/#insightidr-rest-api
Here’s a post I made about something similar but using RecordedFuture.
Using the API to upload Recorded Future IOCs to an IDR Custom Threat Feed.
Let me know if this answered your question.
Regards,
Felipe
Cool… thanks @felipe_legorreta… I’ll give that a look.
You should be able to export the OTX CSV with one of their API integrations found in this list: https://otx.alienvault.com/api
example the PS script: https://github.com/forgottentq/powershell/blob/master/GetOTX-Data.ps1
And then with the help of the IDR Threat API mentioned by Felipe you should be able to import it automatically in IDR 
Just be aware this is going to be extremely noisy. When we integrated our own threat intel into IDR it triggered all kind of false positives. IDR integration with threat intel is too black and white, unless you change about 8 different alerts to be notable behaviours you will find yourself drowning in investigations.
Use on busy environments with caution.