Below is a Screenshot of the last 24 hours view in the RSA FirstWatch Malware Sandbox. Everything in the alert field represents KNOWN threats. This makes it quite simple to filter out what is known to analyze traffic that is unknown.
Heh, If I was working a SOC shift and my alert fields looked like this, I'd probably want to quit and wish the IT response teams lotsaluck.
Much of this content that creates these alerts have been shared over this Community. Check the latest blogs!
Wow. You have more malware hosted in there than a Ukranian pr0n server.
Any chance you can share some interesting parsers or Informer rules/charts/alerts too? There seems to be a distinct lack of examples, particularly of cool parsers, that we can use to get new ideas from.
At FirstWatch, one of our goals is to create rules using the default Live content to enable the broadest group of customers possible to detect these threats. There have been a couple of parsers come out of our effort, but its mainly for research purposes at this point- for example, parsing out the additional HTML headers of VIA, ETAG and others.
See my other posts (click on my name) to see some of the cool Informer rules, reports and other content I've posted 'round here.