This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Feed Me! Cisco AMP ThreatGrid Intelligence Feeds

Anonymous
Not applicable
‎2017-04-04 04:14 AM

I'm sure you know that RSA Netwitness for Logs and Packets includes the ability to register for a Cisco AMP ThreatGrid API Key through RSA's partnership with Cisco AMP ThreatGrid. You can use this API key to enable sandbox analysis with the RSA NetWitness Malware Analysis service. If you haven't done so already, check out the documentation here MA: (Optional) Register for a ThreatGrid API Key  for details on how to register. 

 

What you may not know, is that you can also use that API key to download Cisco AMP ThreatGrid's Intelligence Feeds. Every hour or so, Cisco AMP ThreatGrid takes the artefacts from their sandbox analysis and create 15 Intelligence Feeds - we can use 12 of them directly in RSA NetWitness for Logs and Packets. It's easy to set these up as feeds using the Custom Feed Wizard in RSA NetWitness Logs and Packets.

 

Once you have your Cisco AMP ThreatGrid API key and login details, login to the portal, and click on the Help icon to access the Feeds Documentation. It will be in the middle of the page:

 

pastedImage_7.png

 

Follow the Cisco AMP ThreatGrid documentation to see which feeds make sense for your environment. At the time of writing, there are 15 feeds available. The feeds that end with -dns are feeds that match on a DNS lookup for a host - these are the feeds that we will integrate with RSA NetWitness for Logs and Packets:

 

pastedImage_9.png

 

The format for the URL to retrieve the feed is quite simple:

https://panacea.threatgrid.com/api/v3/feeds/feed_name.format?api_key=1234567890

pastedImage_12.png

Once you have your API key ready, and the list of feeds you want to integrate, head to the RSA NetWitness Custom Feed Wizard under Live --> Feeds, where you will see any existing custom feeds:

pastedImage_21.png

Click on the + to create a new custom feed:

pastedImage_22.png

Then enter the details for your feed. Here is a list of all the URL's for all the feeds - just put your key in at the end instead of 1234567890 ...

https://panacea.threatgrid.com/api/v3/feeds/banking-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/dll-hijacking-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/doc-net-com-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/downloaded-pe-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/dynamic-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/irc-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/modified-hosts-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/parked-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/public-ip-check-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/ransomware-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/rat-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/sinkholed-ip-dns.csv?api_key=1234567890
https://panacea.threatgrid.com/api/v3/feeds/stolen-cert-dns.csv?api_key=1234567890‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Make sure you select Recurring as the "Feed Task Type" - this will let you download the feed directly from Cisco AMP ThreatGrid - and set the "Recur Every" variable to 1 hour for fresh feeds:

pastedImage_23.png

Click the Verify button to make sure RSA NetWitness can connect to the URL and get the green tick:

pastedImage_24.png

Next, choose which of your Decoders to apply this feed to. It will work for both Packet and Log Decoders (but it's always a good idea to test first before rolling into production!):

pastedImage_26.png

Next, we get to define how to use the data in the feed. This will be a Non-IP feed (we want to match on the hostname in the feed), the Index will be in column 2 (the hostname), and the Callback Key (the key we want to match against) will be alias.host.

pastedImage_27.png

The other columns can be mapped to whatever meta keys you want to use in your environment. For my example, I used:

  • threat.desc - Threat Description for the first column as I often use the Threat Keys (threat.source, threat.desc, threat.cat) for reviewing data
  • <key>
  • alias.ip - this is the IP address that the hostname resolved to when the feed was created. For a more advanced implementation of this feed you may want to investigate how to create a feed with multiple indexes
  • tg.date - the date of the feed
  • tg.analysis - a link to the Cisco AMP ThreatGrid portal for analysis of the hostname
  • tg.sample - a link to the Cisco AMP ThreatGrid portal for a malware sample
  • tg.md5 - MD5 hash
  • tg.sha256 - SHA256 hash
  • tg.sha1 - SHA1 hash

(None of these new keys need to be indexed (unless you want to) so there is no need to modify the index-concentrator-custom.xml files).

Next, review your settings:

pastedImage_36.png

When finished, confirm that your feed ran:

pastedImage_37.png

Repeat this process for each of the feeds that you want to integrate:

pastedImage_38.png

The last (optional) step, is to create an Application Rule that will label the Threat Source that this feed comes from. We can simply check for the tg.analysis key to see if any of our feeds have triggered:

pastedImage_39.png

Rule Name - Cisco AMP ThreatGrid

Condition - tg.analysis exists

Alert on - threat.source

Now we can simply search for threat.source = 'cisco amp threatgrid' to find any hits.

Happy Hunting!

3 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.