With the release of “Quick Actions” in IDR, you can now perform some OSINT while still within the log search, which makes looking for additional information quicker and easier now that you don’t have to have multiple tabs open! Being able to very quickly lookup IPs and/or Domains via WHOIS and Threat Cloud, along with scanning the R7 Vulnerability database all in one place!
I’m finding that out now, but in the meantime, you can already look up Hash info with Threat Cloud in the Quick Actions:
EDIT: @pete_jacob we are adding support for connection-based quick actions so it will be able to publish more actions:
(VirusTotal, AbuseIPDB, URLscan urlscan are among first to be added)
Edit: @RHolzer one of the requirements is to have an ICON license, which I just found out, editing my post to make that more clear, here is the documentation for it:
I love this concept and finally having it in IDR is great! I second what @pete_jacob asked, it would be great to add arbitrary workflows to this list, maybe with a special trigger?
In my use case, there are times where information I’m working with in IDR was not detected as an indicator for use with a workflow via the Take Action menu, or is external to IDR. This would easily bridge the gap between IDR and ICON, and make custom event sources and alerts far easier to take action on.
Thank you very much for the feedback, @evan_nichols!! This is only the first version of quick actions, there are definitely more exciting things on the horizon, and I’m with you and @pete_jacob on expanding its capabilities!