With the rapid growth in the number threat intelligence providers and services, the need and focus for threat intelligence format standards and protocols became inevitable. With the emergence of STIX, Structured Threat Information eXpression, threat intelligence providers, application vendors, and users could begin to share and leverage threat intelligence by speaking a common language. (For additional information about STIX, see Structured Threat Information eXpression).
With the release of Security Analytics 10.6.1, RSA will begin providing some initial basic support for the STIX threat intelligence file format. Initial support for the STIX format will be focused on threat indicators through STIX 'Observables' and 'Indicators'. Specifically, a user will be able to import threat indicators such as IP addresses, file hashes, and URLs. Similar to the existing ability in Security Analytics to import custom CSV based threat intelligence feeds, a user will be able to map the intelligence imported from a STIX feed to the creation of meta data during packet and/or log capture time by the SA decoders. Once meta data is created, a user can leverage the information during threat detection and/or during the threat investigation workflows.
Custom Feed Importing:
As mentioned, importing a STIX feed is similar to importing a Live Custom Feed (See Live Custom Feed Configuration). After specifying the STIX feed type, a user can choose to do a one-time 'Adhoc' import from disk or a 'Recurring' feed from a specified URL location.
Specify STIX and 'Adhoc' or 'Recurring'.
Mapping to Meta Data:
Upon specifying the feed, the user can map the information to metadata.
Leveraging During Investigation:
After importing and/or configuration is complete, SA will begin to create meta during data capture time. Upon metadata creation, users can leverage the STIX based threat intelligence during subsequent investigations.