By Christian Have, VP Products & Innovation. November 21, 2016
Following our introduction blog-post, in this instalment we will cover how to integrate the LogPoint TI application with the Critical Stack platform. Critical Stack is an industry leading aggregator of threat intelligence sources, focused on high quality sources and ease of use. Out of the box LogPoint fully supports the different data-types provided through Critical Stack (Hashes, file names, ip addresses etc).
Go the our Help Center page to get access to the Threat Intelligence application.
After downloading and installing the plugin you can manage the Threat Intel application from the Plugins page:
Log into intel.criticalstack.com to find your sources of threat intelligence relevant for your analytics objective. If this is the first time you access Critical Stack, you will be asked to create an account. Start by creating a ”Collection”:
Create a ”sensor”:
Select the sources you’d like to push to your sensor:
Get the API key, which we will need when we add the sensor in the LogPoint application:
Go to the sensor-page and enter the retrieve key:
Apply the API key under “Critical Stack” in the Threat Intel plugins page:
We want to evaluate fields in LogPoint against fields in the collected data - the point of TI.
For instance there may be a field called ”ip” in the threat-intel database, but we have fields in our events that are called source_address and destination_address. To ensure that we get these fields translated to the contents in the threat-intel database correctly, we rely on the “map” feature:
The “Key” is the part that we find in the logs and “Column” is what we will find in the threat-intel database.
An example of a search would be
Device_name=your_device source_address=* | process ti(source_address):
One thing is to evaluate an IP address or a mail address. Let’s say we want to have a query that is useful for a specific type of campaign, a special investigation you are conducting or based on your preferences for most relevant TI; we can create what we call an “Alias”. An alias will be used when we conduct our searches, to evaluate many fields against the contents in the threat-intel database:
When you want to use the alias you made, you will apply it like this in the query:
| process ti(*name_of_the_alias)
Here we construct an “All” mode aliased search:
The same result with “Filter” enabled:
Out of the box you will find our analytics pack for Threat Intel. We currently have the following components included:
The dashboards populated by this application are:
If you want to know more about the setup - or Threat Intelligence in general - sign up for our upcoming webinar dedicated to Threat Intelligence on December 1st, 2016. Read more here!
You are always welcome to get in touch, if you have any questions! Find your local LogPoint office here.
Mit LogPoint erhalten Sie eine SIEM-Lösung für alle Unternehmen.
LogPoint ist EAL 3+ zertifiziert und ist auf die spezifischen Anforderungen im IT-Sicherheitsmanagement Ihres Unternehmens zugeschnitten - die Einhaltung von Richtlinien und Vorgaben, Forensik oder die Einsicht in Prozesse.
Und das Beste daran ..? Wir haben das fairste planbare Lizenzmodell in der Branche.