This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Introducing the New RSA OSINT Threat Feeds

SeanEnnis1
New Contributor New Contributor
New Contributor
‎2020-09-10 12:29 PM

We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect!

 

What is it?

There are two new feeds that have been introduced to RSA Live, built on Open Source Intelligence (OSINT) that has been curated and scored by our partners at ThreatConnect:

  • RSA OSINT IP Threat Intel Feed, including Tor Exit Nodes
  • RSA OSINT Non-IP Threat Intel Feed, which includes indicators of types:
    • Email Address
    • URLs
    • Hostnames
    • File Hashes


These feeds are automatically aggregated, de-duplicated, aged and scored with ThreatConnect's ThreatAssess score. ThreatAssess is a metric combining both the severity and confidence of an indicator, giving analysts a simple indication of the potential impact when a matching indicator is observed.  Higher ThreatAssess scores mean higher potential impact.  The range is 0-1000, with RSA opting to focus on the highest fidelity indicators with scores 500 or greater (as of the 11.5 release - subject to change as needed)

 

Note: The frequency of feed change is every day at 10 AM IST.

 

Who gets it?

These feeds are included for any customer, with any combination of RSA NetWitness Logs, RSA NetWitness Packets, or RSA NetWitness Endpoint under active maintenance at no charge. The feed will work on any version of RSA NetWitness, but please see the How do I deploy it? section for notes on version-specific considerations.

 

How do I deploy it?

These feeds will show up in RSA Live as follows:

Matching Resources new.PNG

 

To deploy and/or subscribe to the feed, please take a look at the detailed instructions here: Live: Manage Live Resources 

 

11.4 and earlier customers will want to add a new ioc.score meta key to their Concentrator(s) in order to be able to query and take advantage of the ThreatAssess score of any matched indicator. Please see How to add custom meta keys in RSA NetWitness Platform  for details on how to do this. Please note that this meta key should be of type Uint16 - inside the index file, the definition should look similar to this:

pastedImage_5.png

 

11.5 and greater customers do not need to add this key, as it's already included by default.

 

 

How do I use it?

Once the feeds are deployed, any events or sessions with matching indicators will be enriched with two additional meta values, ioc and ioc.score.  These values are available for use in all search, investigation, and reporting use cases assuming those keys have been enabled.

 

Events.png

eg. Events filter view

pastedImage_3.png

eg. Event reconstruction view

 

What happens to the "RSA FirstWatch" and Tor Exit Node feeds?

If you are running these new feeds, you do not need to run the existing RSA FirstWatch & Tor Exit Node feeds in parallel as they are highly redundant and tend to be less informative when matches occur.  At some point in the near future once we believe impact will be minimal, we will officially deprecate the RSA FirstWatch & Standalone Tor Exit Node feeds.

 

Do you have ideas?

If you have ideas on how to make these feeds better, ideas for content creation leveraging these feeds, or anything else in the  NetWitness portfolio, please submit and vote on ideas in the NetWitness Ideas portal: Ideas for the NetWitness Platform 

4 Comments
JonathanScher
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2020-11-04 10:50 AM
‎2020-11-04 10:50 AM

How can I query for Tor Exit Nodes in the "OSINT IP Threat Intel Feed" ?

0 Likes
SeanEnnis1
New Contributor New Contributor
New Contributor
‎2020-11-04 10:59 AM
‎2020-11-04 10:59 AM

The best query will be ioc = 'dan.me tor exit nodes' - that is the only TOR source included as part of the feed.

EnMihashi
New Contributor New Contributor
New Contributor
‎2021-02-14 10:38 PM
‎2021-02-14 10:38 PM

Is there any descriptions of ioc or scoring from threatconnect? 

0 Likes
SeanEnnis1
New Contributor New Contributor
New Contributor
‎2021-02-15 09:51 AM
‎2021-02-15 09:51 AM

The score registered as ioc.score is taken directly from the ThreatConnect ThreatAssess score for any given indicator.  This score combines threat severity (threat rating) score and confidence into a single value between 0-1000.  Some details on the algorithm can be found here: https://threatconnect.com/blog/data-driven-threat-intelligence/ 

 

Essentially, the higher the value the more actionable the indicator should be if observed in an environment.  As always, context around exactly how the indicator was observed should always be taken into account to help validate or invalidate the relative importance in your environment.

 

The values for ioc are simply representing the OSINT source that has been aggregated via ThreatConnect.  The value in there is typically the name of the underlying provider of the feed, and any sub-context where applicable.  We've had some feedback that this is a bit misleading, and are looking to adjust the meta key used from ioc to something more self-describing like threat.source.  We certainly welcome all feedback.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.