Threat Intel and IOCs

Threat intel and IOC identification is great for cyber resilience. Has anyone leveraged this in R7 and implemented a dashboard or alerting?

Hey Steven,

If you are referring to the “Configure Threats” area of the IDR platform and building out a public or private threat, I have done this before, did you have any specific questions I could help answer for you?

Hey Steven,

Do add some clarity, once you add the IOCs to the threat and create it, it will automatically fire off alerts if those IOCs are found in your environment, but it’s from that point forward, it’s not retroactive like log search. Unfortunately you will not be able to build dashboards directly from the data from those threats. You would have to create dashboards based off the IOCs you have listed.

1 Like

Threat intel and IOC’s are already part of it. Under the Alert settings there is a tab where you can subscribe to threat intel feeds and IOC’s and add your own as well.Once added you can use to build alerts or dashboards based on the information. No, not retroactive, but you can always schedule forensics and searches to go back. IDR is not really meant for going back like that unless you are doing a specific investigation or hunt.

Hi Kerry, Stephen,
How do you proceed when you have an IOC list of say 50 IPs.
I’ve not found an easy way to check for historic hits involving a large number of IPs so far.
Tips would be welcome if you got an efficient method!
Regards,
RĂ©gis

@regis_kergreis,

So, unfortunately, right now, there is no easy way to search a bulk of IPs in log search for any hits prior to you creating the Community Threat. Depending on the IP IOCs you have added, if they fall in the same subnets you can use the CIDR notation to make it a bit easier, but if they are all random IPs then you would still have to hand jam them into a query which would get very long and very ugly. I’ll do some additional research on my end and see if I can come up with anything additional, or keep tabs on this post to see if anyone in the community has some ideas to add as well.

1 Like

Unfortunately true. No way to do this easily. I have to rely on other tools for this if the list of IP addresses is long. It would be an interesting feature to be able to take what is in a threat intel source and perform a search based on it, but I think that would kill the platform in most cases as some of the threat feeds have a ton of entries. I would not perform a hunt that way though. It is not targeted enough, unless all the IP’s have a common feature or connection to each other. In that case I would search for that common item. Let us say that all the IP’s are connected with a certain threat actor, then I would gather other TTP’s for that actor to search for. IP’s are not great IOC’s as they can change, one IP could host 1000 sites, they could just be a redirect IP to another one that is unknown, any of which can make them unusable for searches or hunting.

2 Likes

Hi guys - thanks for your comments. Typically i’d get a list of IOCs from a formal and trusted entity (the ANSSI or the CERT-FR in France for ex.). Example : IOC for Ryuk : [MaJ]🇫🇷/🇬🇧 Le Rançongiciel Ryuk – CERT-FR . I’d create a new threat against those domains and IPs listed as malicious to detect any future intrusion and possible of malware spread. But based on that MISP, it’s not possible today to perform historic checks against this IOC list quickly and tie up loose ends before a spread on my network. And at the moment I don’t have an easy way to deal with such a list with my IDR for ex. That’s quite a drawback for me.