Installing the Basic Threat Intel App

Using the Basic Threat Intel App

The Basic Threat Intel App helps you to review log data for Internet connectivity with known bad systems. You can use the provided resource sets to find and alert on unexpected or possibly malicious activity.

What type of data does Basic Threat Intel App ingest?

The Basic Threat Intel App collects data from three types of sources:

• Context Lists - Some lists provide context or can be used for filtering.

• Threat Lists - Several open source threat intelligence lists are collected into Observe as resource sets for comparison with your data.

• IaaS Network Lists - The network address lists of several popular infrastructures as a service provider collected into Observe as resource sets for comparison with your data.

Figure 1 - Installed Datasets for Basic Threat Intel app

To ingest these resources, install the App and configure the Pollers. For more about exploring this data, see Basic Threat Intel App.

Setup

Installing the Basic Threat Intel App for Observe

Install the Basic Threat Intel App for Observe using the App section under Workspace Setting.

Poller Activation

In the Connections section of the App details page, select Create poller for the resource sets you want to create. Currently supported resource sets include the following:

Context Lists

• Majestic Million Top 50000 list

Threat Intelligence Lists

• CINS CI Army badguys list

• Dan’s Tor Nodes Dan’s Tor Nodes list

• Proofpoint Emerging Threats block list

• Spamhaus Drop list

• Spamhaus E-Drop list

• Abuse.ch Feodo Tracker list

• Abuse.ch URLhaus list

• Abuse.ch Malware Bazaar list

IaaS Network Lists

• Amazon Amazon Web Services IP Range list

• Azure Microsoft Azure US Public IP Range list

• Azure Microsoft Azure US Government IP Range list

• Azure Microsoft Azure Germany IP Range list

• Azure Microsoft Azure China IP Range list

• Google Google Cloud Platform Services IP Range

• Google Google Cloud Platform Customers IP Range

• Oracle Oracle Cloud Infrastructure IP Range

• IPv4 Public Ranges

Custom Source Lists

• Note that Observe does not support authenticated links at this time.

You can also configure ingest of your own intel lists using a Custom Threat IP List poller. In the Connections section of the App details page, select Create poller on the Custom Threat IP List row. This supports pulling a CSV-formatted file of IP addresses and CIDR ranges from an Internet-accessible URL. The maximum size is 4 MB. The format is as follows:

object,severity,source
12.34.56.78,high,"Private Research"
21.43.65.0/24,low,"Private Research"

Poller Management

All lists are collected by Observe pollers, which can be activated at the Connections tab of the Basic Threat Intel App. Each poller has a collection cycle tuned for the frequency of the source. To manage the active pollers, you need the name of the source Datastream set at the Configuration tab of the Basic Threat Intel App. Pollers can be configured under the Datastreams settings page.

Creating a Token

Create a Basic Threat Intel Token to send your resource sets into Observe, such as process hashes or URLs.

1. Under the Connections section of the App Details page, select Create Threat Intel (Basic) Token and follow the prompts.

2. Follow the HTTP Endpoint ingestion guidance to send data into Observe using this token.

3. Use a Worksheet to isolate your data and create a Resource Set from it. Click Edit on one of the resource sets included in the Basic Threat Intel App to see examples you can follow.

Changing the Datastream

The Basic Threat Intel App uses the Default datastream for polled data and resource set creation. To select another datastream, use the Configuration tab of the App Details page.

Managing App Integrations

The Basic Threat Intel App offers prebuilt integrations using resource sets from the following Observe Apps:

• AWS - uses AWS CloudTrail management logs as a resource set for comparison with threat intelligence.

• Host Monitoring - uses Windows and Linux host information as a resource set for comparison with threat intelligence.

To enable these resources, install and configure the respective Apps, then enable integration under the Configuration tab of the Basic Threat Intel App Details page, then click Update. This creates Datasets where data from another app can be compared with the Basic Threat Intel App resource sets.

If you later remove apps that provide source data for analysis, you can also disable app integration. Under the Configuration tab of the App Details page, turn off app integrations, then click Update. This deletes the data sets that make data comparable to the Basic Threat Intel App’s resource sets.

For more about exploring this data, see Basic Threat Intel App.

You have now configured the Basic Threat Intel app and ready to use this data in Observe.