From e3d711185c7016cb834d2f9ffa88bf98e00b43d8 Mon Sep 17 00:00:00 2001 From: Surya Sashank Nistala Date: Tue, 30 Jul 2024 02:16:00 -0700 Subject: [PATCH] add threat intelligence analytics overview documentation Signed-off-by: Surya Sashank Nistala --- .../threat-intelligence-config.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 _security-analytics/sec-analytics-config/threat-intelligence-config.md diff --git a/_security-analytics/sec-analytics-config/threat-intelligence-config.md b/_security-analytics/sec-analytics-config/threat-intelligence-config.md new file mode 100644 index 0000000000..605fe93a97 --- /dev/null +++ b/_security-analytics/sec-analytics-config/threat-intelligence-config.md @@ -0,0 +1,38 @@ +--- +layout: default +title: Creating detectors +parent: Setting up Threat Intelligence +nav_order: 15 +--- + +# Powering Threat Intelligence Analytics on your data + +Threat Intelligence Analytics provides the options and functionality to connect your threat intelligence feeds, consisting of Indicators of Compromise(IoC), and hunt for malicious indicators in your data by configuring a threat intelligence monitor. + +Threat Intelligence Monitors will create findings and can send out notifications when malicious IPs/domains/hashes referred from the Threat intelligence feeds match their data. + +--- +## Step 1. Connect threat intelligence Source + +To simply try out the feature you can skip this step and leverage the default IP reputation threat intelligence feed from AlienVault OTX. +If you have threat intelligence that you wish to constantly update you can use the S3_CUSTOM type of source configuration. +You can upload threat intelligence feed as files to your S3 account and provide OpenSearch with the IAM Role ARN to access that file. +The file should have IoC's in STIX2 format +The supported IoC Types are `hashes`, `ipv4-addr`, `domain-name`, `ipv6-addr`. +Create a threat intelligence source and mention S3 bucket details and IAM Role ARN to connect and download IoC's into OpenSearch. You can define a refresh schedule and periodically upload the latest batch of IoC's to S3 and replace the old file. OpenSearch will download the latest Ioc's and fully replace the old ones. + +Alternatively you can upload a one-time file using the IOC_UPLOAD type of source configuration. It will not have a refresh schedule as the IoC's can only be updated via an update API command. + +You can also view the downloaded IoC's while viewing the + +## Step 2. Configure Threat Intelligence Monitor + +Threat Intelligence Monitor will be configured with your aliases or data streams. It runs every minute (by default or at a configurable periodicity) and scans the newly ingested data in your indices to match against the IoC's present in threat intelligence feeds connected to OpenSearch. +If any malicious IoC's are matched OpenSearch creates findings. Optionally, you can configure triggers in monitor to create alerts and send notifications to your desired webhooks and endpoints +For every alias or data stream configured in the monitor, you must mention which fields are to be scanned for each type of IoC. +For instance, if an alias called `my-logs` has 2 fields called `src_ip` and `dst_ip` which contain ipv4-addresses, you must mention them during monitor creation/update under the `ipv4-addr` section. + +### Step 3. Findings Alerts and Notifications + +You can view the findings and alerts generated by threat intelligence monitors to analyze which malicious indicators have occurred in their security logs. +Alerts can be acknowledged or marked as completed. Notifications sent out to configured destinations will contain information about alerts, monitor, datasource, IoC value, type etc. Notification message uses mustache template and can be customized as per requirement.