Basic Threat Intel Integration¶
The Basic Threat Intel app ingests data from open source threat intelligence lists and infrastructure as service providers, using Observe pollers.
Observe helps you monitor the public networks that your systems contact by using resource sets that include information about known bad addresses, known infrastructure addresses, and more.
Checking an Address¶
You can use two Dashboards to check if an IP address exists in the Threat Intel data gathered by Observe.
Use the IPv4 Search Dashboard to search for an IPv4 address in a dotted quad notation, such as
18.104.22.168. The Dashboard recognizes the CIDR format and displays matching network ranges or singletons.
Use the IPv6 Search Dashboard to search for IPv6 addresses. The Dashboard does not recognize the CIDR format and only displays exact matches.
Checking a Hash¶
You can use a Dashboard to check if a hash value exists in the Threat Intel data gathered by Observe. Hash values can be of different things such as processes, files, etc depending on the source of the information.
Installing the Basic Threat Intel app provides the following Datasets to use with your data. Note that pollers must be enabled to populate these datasets.
AWS IP Ranges
AWS IPv6 Ranges
Azure IP Ranges
Azure IPv6 Ranges
Bazaar Block Process
CI Army Block IP
Custom Threat IP Ranges
Dan’s Tor Nodes IPs
Dan’s Tor Nodes v6 IPs
Emerging Threats Block IP
Feodo Block IP
GCP IP Ranges
GCP IPv6 Ranges
OCI IP Ranges
Majestic Million (only the top 50,000 websites are collected)
Public IP Ranges
Spamhaus Block IP
URLHaus Block Domain
Unified Resource Datasets
Unified Hash Threatlists
Unified Hosts-Domains Threatlist
This dataset uses the Majestic Million top websites list (top 50,000) to reduce alert noise. Use Unified URLs for more precise matches.
Unified IPv4 Threatlist
Unified IPv6 Threatlist
Unified URL Threatlist
Process Hash Search
As Observe ingests your data, the preconfigured datasets and boards display information about the security of your systems.
The unified datasets for threat matching are structured to provide a standard set of fields. This is detailed in Using Unified Basic Threat Intel Datasets with Observe.
You want to check your datasets against Threat IOCs for IPv4 addresses. You can find this information in Example: Using Unified IPv4 Threatlists.
This example contains steps to complete the following tasks:
Shaping your IP Address data
Filtering the IP Addresses for public IPs
Filtering the IP Addresses using the Unified IPv4 Threatlist
The Example: Using Unified IPv4 IAAS Providers List](https://docs.observeinc.com/en/latest/content/integrations/tip-basic/tip-example-unified-iaas.html) provides steps on using the Infrastructure as a Service provider IP list to enrich your dataset. This aids in identifying address space owners such as Google Cloud, Amazon, and Microsoft.
Host-Domain and URL Matching¶
You may have data such as Web logs or DNS logs and want to filter for IOC matches on domains and URLs.
The Example: Using Unified Hosts-Domains and URL Threatlists contains steps on the following tasks:
Shaping your URL data
Extracting the host value from the URLs
Filtering the host value using Unified Hosts-Domains Threatlist
Filtering the url value using the Unified URL Threatlist
If you have data that contains process or file hashes you may follow the same pattern for matching against the Unified Hash Threatlists as shown for OPAL matching the host-domain values in Example: Using Unified Hosts-Domains and URL Threatlists.
If you have data that contains IPv6 addresses, follow the same pattern for matching against the Unified Hash Threatlists as shown for OPAL matching the host-domain values in Example: Using Unified Hosts-Domains and URL Threatlists. Note that IPv6 values are treated as exact string matches, not network ranges, at this time.