Installing the Basic Threat Intel App

Using the Basic Threat Intel App

The Basic Threat Intel App helps you to review log data for Internet connectivity with known bad systems or processing of known bad executables. You can use the provided resource sets to find and alert on unexpected or possibly malicious activity.

What types of data does Basic Threat Intel App ingest?

The Basic Threat Intel App collects data from three types of sources:

  • Context Lists - Some lists provide context or can be used for filtering.

  • Threat Lists - Several open source threat intelligence lists are collected into Observe as resource sets for comparison with your data.

  • IaaS Network Lists - The network address lists of several popular infrastructures as a service provider collected into Observe as resource sets for comparison with your data.

To ingest these resources, install the App and configure the Pollers. For more about exploring this data, see Basic Threat Intel App.

Setup

Installing the Basic Threat Intel App for Observe

Install the Basic Threat Intel App for Observe using the Apps section under Workspace Setting.

Poller Activation

In the Connections section of the App details page, select Create poller for the resource sets you want to use. Activated pollers will be listed at the bottom of the Connections screen. Currently supported resource sets include the following:

Context Lists

Threat Intelligence Lists

IaaS Network Lists

  • Amazon Amazon Web Services IP Range list

  • Azure Microsoft Azure US Public IP Range list

  • Azure Microsoft Azure US Government IP Range list

  • Azure Microsoft Azure Germany IP Range list

  • Azure Microsoft Azure China IP Range list

  • Google Google Cloud Platform Services IP Range

  • Google Google Cloud Platform Customers IP Range

  • Oracle Oracle Cloud Infrastructure IP Range

  • IPv4 Public Ranges

Custom Source Lists

  • Note that Observe does not support authenticated links at this time.

You can also configure ingest of your own intel lists using a Custom Threat IP List poller. In the Connections section of the App details page, select Create poller on the Custom Threat IP List row. This supports pulling a CSV-formatted file of IP addresses and CIDR ranges from an Internet-accessible URL. The maximum size is 4 MB. It has the following format:

object,severity,source
12.34.56.78,high,"Private Research"
21.43.65.0/24,low,"Private Research"

You can click Create poller multiple times for the Custom Threat IP List in order to collect multiple lists; the results will be merged into a single dataset.

Poller Management

The Observe pollers collect all lists which can be activated at the Connections tab of the Basic Threat Intel App. Each poller has a collection cycle tuned for the frequency of the source. To manage the active pollers, you need the name of the source Datastream set at the Configuration tab of the Basic Threat Intel App. Pollers can be configured under the Datastreams settings page. Uninstalling the App does not remove the pollers, do that from the Datastreams page.

Creating a Token

Creating a token for the Basic Threat Intel app is optional. You can use a Basic Threat Intel Token to send your custom non-IP resource sets into Observe, such as process hashes or URLs.

  1. Under the Connections section of the App Details page, select Create Threat Intel (Basic) Token and follow the prompts.

  2. Follow the HTTP Endpoint ingestion guidance to send data into Observe using this token.

  3. Use a Worksheet to isolate your data and create a Resource Set from it. Click Edit on one of the resource sets included in the Basic Threat Intel App to see examples you can follow.

Changing the Datastream

The Basic Threat Intel App uses the Default datastream for polled data and resource set creation. To select another datastream, use the Configuration tab of the App Details page.

For more about exploring this data, see Basic Threat Intel App.

You have now configured the Basic Threat Intel app and can use this data in Observe.