Basic Threat Intel Integration

The Basic Threat Intel app ingests data from open source threat intelligence lists and infrastructure as service providers, using Observe pollers.

Observe helps you monitor the public networks that your systems contact by using resource sets that include information about known bad addresses, known infrastructure addresses, and more.

Checking an Address

You can use two Dashboards to check if an IP address exists in the Threat Intel data gathered by Observe.

Checking a Hash

You can use a Dashboard to check if a hash value exists in the Threat Intel data gathered by Observe. Hash values can be of different things such as processes, files, etc depending on the source of the information.

Resource Sets

Installing the Basic Threat Intel app provides the following Datasets to use with your data. Note that pollers must be enabled to populate these datasets.

Resource Datasets

  • AWS IP Ranges

  • AWS IPv6 Ranges

  • Azure IP Ranges

  • Azure IPv6 Ranges

  • Bazaar Block Process

  • CI Army Block IP

  • Custom Threat IP Ranges

  • Dan’s Tor Nodes IPs

  • Dan’s Tor Nodes v6 IPs

  • Emerging Threats Block IP

  • Feodo Block IP

  • GCP IP Ranges

  • GCP IPv6 Ranges

  • OCI IP Ranges

  • Majestic Million (only the top 50,000 websites are collected)

  • Public IP Ranges

  • Spamhaus Block IP

  • URLHaus Block Domain

Unified Resource Datasets

  • Unified Hash Threatlists

  • Unified Hosts-Domains Threatlist

This dataset uses the Majestic Million top websites list (top 50,000) to reduce alert noise. Use Unified URLs for more precise matches.

  • Unified IPv4 Threatlist

  • Unified IPv6 Threatlist

  • Unified URL Threatlist

Dashboards

  • IP Search

  • IPv6 Search

  • Process Hash Search

As Observe ingests your data, the pre-configured datasets and boards display information about the security of your systems.

Usage Examples

The unified datasets for threat matching are structured to provide a standard set of fields. This is detailed in Using Unified Basic Threat Intel Datasets with Observe.

IPv4 Matching

You want to check your datasets against Threat IOCs for IPv4 addresses. You can find this information in Example: Using Unified IPv4 Threatlists.

This example contains steps to complete the following tasks:

  • Shaping your IP Address data

  • Filtering the IP Addresses for public IPs

  • Filtering the IP Addresses using the Unified IPv4 Threatlist

The Example: Using Unified IPv4 IAAS Providers List](tip-example-unified-iaas) provides steps on using the Infrastructure as a Service provider IP list to enrich your dataset. This aids in identifying address space owners such as Google Cloud, Amazon, and Microsoft.

Host-Domain and URL Matching

You may have data such as Web logs or DNS logs and want to filter for IOC matches on domains and URLs.

The Example: Using Unified Hosts-Domains and URL Threatlists contains steps on the following tasks:

  • Shaping your URL data

  • Extracting the host value from the URLs

  • Filtering the host value using Unified Hosts-Domains Threatlist

  • Filtering the url value using the Unified URL Threatlist

Hash Matching

If you have data that contains process or file hashes you may follow the same pattern for matching against the Unified Hash Threatlists as shown for OPAL matching the host-domain values in Example: Using Unified Hosts-Domains and URL Threatlists.

IPv6 Matching

If you have data that contains IPv6 addresses, follow the same pattern for matching against the Unified Hash Threatlists as shown for OPAL matching the host-domain values in Example: Using Unified Hosts-Domains and URL Threatlists. Note that IPv6 values are treated as exact string matches, not network ranges, at this time.

GeoIP Enrichment

If you want to add geographical enrichment (such as latitude, longitude, country, or city) to your IP addresses, see the lookup_ip_info OPAL command.