Following our introduction blog post, in this instalment we will cover how to integrate the LogPoint TI application with the Critical Stack platform. Critical Stack is an industry-leading aggregator of threat intelligence sources, focused on high-quality sources and ease of use. Out of the box, LogPoint fully supports the different data-types provided through Critical Stack (Hashes, file names, IP addresses etc).
Go to our Help Center page to get access to the Threat Intelligence application.
After downloading and installing the plugin you can manage the Threat Intel application from the Plugins page:
Getting your first TI into the system
Log into intel.criticalstack.com to find your sources of threat intelligence relevant for your analytics objective. If this is the first time you access Critical Stack, you will be asked to create an account. Start by creating a ”Collection”:
Create a ”sensor”:
Select the sources you’d like to push to your sensor:
Get the API key, which we will need when we add the sensor in the LogPoint application:
Go to the sensor-page and enter the retrieve key:
Apply the API key under “Critical Stack” in the Threat Intel plugins page:
We want to evaluate fields in LogPoint against fields in the collected data – the point of TI.
For instance, there may be a field called ”IP” in the threat-intel database, but we have fields in our events that are called source_addressand destination_address. To ensure that we get these fields translated to the contents in the threat-intel database correctly, we rely on the “map” feature.
The “Key” is the part that we find in the logs and “Column” is what we will find in the threat-intel database.
An example of a search would be:
Device_name=your_device source_address=* | process ti(source_address):
Constructing comprehensive searches
One thing is to evaluate an IP address or a mail address. Let’s say we want to have a query that is used for a specific type of campaign, a special investigation you are conducting or based on your preferences for most relevant TI; we can create what we call an “Alias”. An alias will be used when we conduct our searches, to evaluate many fields against the contents in the threat-intel database.
- The “Alias” will be the name of the alias, we can call from the ti() command later.
- The “Fields” will be the different fields, we will be using (with our mapping).
- The “Mode” operation here will make it easier for us to do our investigation; put it into “Filter” mode and only logs that actually correspond with a match in the threat-intel database will be shown to the user.
When you want to use the alias you made, you will apply it like this in the query:
| process ti(*name_of_the_alias)
Here we construct an “All” mode aliased search:
It is also possible to enable “Filter”.
The Analytics pack
Out of the box, you will find our analytics pack for Threat Intel. We currently have the following components included:
The dashboards populated by this application are:
- Top 10 Sources in Attack
- Top 10 Destinations in Attack
- Top 10 Domains in Attack
- Categories by Source
- Categories by Destination
- Categories by Domain
- Top 10 Inbound Attack Connection by Geolocation
- Top 10 Outbound Attack Connection by Geolocation
You are always welcome to get in touch if you have any questions! Find your local LogPoint office here.