Skip to content

Commit

Permalink
add threat intelligence analytics overview documentation
Browse files Browse the repository at this point in the history 
Signed-off-by: Surya Sashank Nistala <[email protected]>
  • Loading branch information
@eirsep
eirsep committed Jul 30, 2024
1 parent 5084340 commit 24d4b2d
Showing 1 changed file with 38 additions and 0 deletions.
38 changes: 38 additions & 0 deletions _security-analytics/sec-analytics-config/threat-intelligence-config.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
layout: default
title: Creating detectors
parent: Setting up Threat Intelligence
nav_order: 15
---

# Powering Threat Intelligence Analytics on your data

Check failure on line 8 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.HeadingCapitalization] 'Powering Threat Intelligence Analytics on your data' is a heading and should be in sentence case.

Raw Output:
{"message": "[OpenSearch.HeadingCapitalization] 'Powering Threat Intelligence Analytics on your data' is a heading and should be in sentence case.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 8, "column": 3}}}, "severity": "ERROR"}

Threat Intelligence Analytics provides the options and functionality to connect your threat intelligence feeds, consisting of Indicators of Compromise(IoC), and hunt for malicious indicators in your data by configuring a threat intelligence monitor.

Threat Intelligence Monitors will create findings and can send out notifications when malicious IPs/domains/hashes referred from the Threat intelligence feeds match their data.

---
## Step 1. Connect threat intelligence Source

To simply try out the feature you can skip this step and leverage the default IP reputation threat intelligence feed from AlienVault OTX.

Check warning on line 17 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Simple] Don't use 'simply' because it's not neutral in tone. If you mean 'only', use 'only' instead.

Raw Output:
{"message": "[OpenSearch.Simple] Don't use 'simply' because it's not neutral in tone. If you mean 'only', use 'only' instead.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 17, "column": 4}}}, "severity": "WARNING"}
If you have threat intelligence that you wish to constantly update you can use the S3_CUSTOM type of source configuration.
You can upload threat intelligence feed as files to your S3 account and provide OpenSearch with the IAM Role ARN to access that file.
The file should have IoC's in STIX2 format

Check failure on line 20 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 20, "column": 22}}}, "severity": "ERROR"}
The supported IoC Types are `hashes`, `ipv4-addr`, `domain-name`, `ipv6-addr`.
Create a threat intelligence source and mention S3 bucket details and IAM Role ARN to connect and download IoC's into OpenSearch. You can define a refresh schedule and periodically upload the latest batch of IoC's to S3 and replace the old file. OpenSearch will download the latest Ioc's and fully replace the old ones.

Check failure on line 22 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 22, "column": 108}}}, "severity": "ERROR"}

Check failure on line 22 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 22, "column": 209}}}, "severity": "ERROR"}

Check failure on line 22 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: Ioc's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: Ioc's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 22, "column": 283}}}, "severity": "ERROR"}

Alternatively you can upload a one-time file using the IOC_UPLOAD type of source configuration. It will not have a refresh schedule as the IoC's can only be updated via an update API command.

Check failure on line 24 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 24, "column": 140}}}, "severity": "ERROR"}

Check warning on line 24 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.LatinismsSubstitution] Use 'using, through, by accessing, or by choosing' instead of 'via'.

Raw Output:
{"message": "[OpenSearch.LatinismsSubstitution] Use 'using, through, by accessing, or by choosing' instead of 'via'.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 24, "column": 166}}}, "severity": "WARNING"}

You can also view the downloaded IoC's while viewing the

Check failure on line 26 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: IoC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 26, "column": 34}}}, "severity": "ERROR"}

## Step 2. Configure Threat Intelligence Monitor

Check failure on line 28 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.HeadingCapitalization] 'Step 2. Configure Threat Intelligence Monitor' is a heading and should be in sentence case.

Raw Output:
{"message": "[OpenSearch.HeadingCapitalization] 'Step 2. Configure Threat Intelligence Monitor' is a heading and should be in sentence case.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 28, "column": 4}}}, "severity": "ERROR"}

Threat Intelligence Monitor will be configured with your aliases or data streams. It runs every minute (by default or at a configurable periodicity) and scans the newly ingested data in your indices to match against the IoC's present in threat intelligence feeds connected to OpenSearch.

Check failure on line 30 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.SubstitutionsError] Use 'indexes' instead of 'indices'.

Raw Output:
{"message": "[OpenSearch.SubstitutionsError] Use 'indexes' instead of 'indices'.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 30, "column": 192}}}, "severity": "ERROR"}
If any malicious IoC's are matched OpenSearch creates findings. Optionally, you can configure triggers in monitor to create alerts and send notifications to your desired webhooks and endpoints
For every alias or data stream configured in the monitor, you must mention which fields are to be scanned for each type of IoC.
For instance, if an alias called `my-logs` has 2 fields called `src_ip` and `dst_ip` which contain ipv4-addresses, you must mention them during monitor creation/update under the `ipv4-addr` section.

### Step 3. Findings Alerts and Notifications

You can view the findings and alerts generated by threat intelligence monitors to analyze which malicious indicators have occurred in their security logs.
Alerts can be acknowledged or marked as completed. Notifications sent out to configured destinations will contain information about alerts, monitor, datasource, IoC value, type etc. Notification message uses mustache template and can be customized as per requirement.

Check warning on line 38 in _security-analytics/sec-analytics-config/threat-intelligence-config.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.LatinismsElimination] Using 'etc.' is unnecessary. Remove.

Raw Output:
{"message": "[OpenSearch.LatinismsElimination] Using 'etc.' is unnecessary. Remove.", "location": {"path": "_security-analytics/sec-analytics-config/threat-intelligence-config.md", "range": {"start": {"line": 38, "column": 178}}}, "severity": "WARNING"}

0 comments on commit 24d4b2d

Please sign in to comment.