Getting started with Threat Intelligence

325

Getting Started with Threat Intelligence

By Christian Have, VP Products & Innovation. November 21, 2016

Following our introduction blog-post, in this instalment we will cover how to integrate the LogPoint TI application with the Critical Stack platform. Critical Stack is an industry leading aggregator of threat intelligence sources, focused on high quality sources and ease of use. Out of the box LogPoint fully supports the different data-types provided through Critical Stack (Hashes, file names, ip addresses etc).

Go the our Help Center page to get access to the Threat Intelligence application.

After downloading and installing the plugin you can manage the Threat Intel application from the Plugins page:

plugin page

Getting your first TI into the system

Log into intel.criticalstack.com to find your sources of threat intelligence relevant for your analytics objective. If this is the first time you access Critical Stack, you will be asked to create an account. Start by creating a ”Collection”:

collection

Create a ”sensor”:

sensor

Select the sources you’d like to push to your sensor:

select sources

Get the API key, which we will need when we add the sensor in the LogPoint application:

Go to the sensor-page and enter the retrieve key:

retrieve key

Apply the API key under “Critical Stack” in the Threat Intel plugins page:

critical stack

Mapping structures

We want to evaluate fields in LogPoint against fields in the collected data  - the point of TI.

For instance there may be a field called ”ip” in the threat-intel database, but we have fields in our events that are called source_address and destination_address. To ensure that we get these fields translated to the contents in the threat-intel database correctly, we rely on the “map” feature:

add mapping

The “Key” is the part that we find in the logs and “Column” is what we will find in the threat-intel database.

An example of a search would be

Device_name=your_device source_address=* | process ti(source_address):

search example

Constructing comprehensive searches

One thing is to evaluate an IP address or a mail address. Let’s say we want to have a query that is useful for a specific type of campaign, a special investigation you are conducting or based on your preferences for most relevant TI; we can create what we call an “Alias”. An alias will be used when we conduct our searches, to evaluate many fields against the contents in the threat-intel database:

add alias

  • The “Alias” will be the name of the alias, we can call from the ti() command later.
  • The “Fields” will be the different fields, we will be using (with our mapping).
  • The “Mode” operation here will make it easier for us to do our investigation; put it into “Filter” mode and only logs that actually correspond with a match in the threat-intel database will be shown to the user.

When you want to use the alias you made, you will apply it like this in the query:

| process ti(*name_of_the_alias)

Here we construct an “All” mode aliased search:

aliased search

The same result with “Filter” enabled:

filter enabled

The Analytics pack

Out of the box you will find our analytics pack for Threat Intel. We currently have the following components included:

analytics pack

The dashboards populated by this application are:

  1. Top 10 Sources in Attack
  2. Top 10 Destinations in Attack
  3. Top 10 Domains in Attack
  4. Categories by Source
  5. Categories by Destination
  6. Categories by Domain
  7. Score-Timetrend
  8. Top 10 Inbound Attack Connection by Geolocation
  9. Top 10 Outbound Attack Connection by Geolocation

More Information?

If you want to know more about the setup - or Threat Intelligence in general - sign up for our upcoming webinar dedicated to Threat Intelligence on December 1st, 2016. Read more here!

You are always welcome to get in touch, if you have any questions! Find your local LogPoint office here.

 

Europäisches "State-of-the-Art" SIEM

Mit LogPoint erhalten Sie eine SIEM-Lösung für alle Unternehmen.

LogPoint ist EAL 3+ zertifiziert und ist auf die spezifischen Anforderungen im IT-Sicherheitsmanagement Ihres Unternehmens zugeschnitten - die Einhaltung von Richtlinien und Vorgaben, Forensik oder die Einsicht in Prozesse. 

Und das Beste daran ..? Wir haben das fairste planbare Lizenzmodell in der Branche.