I'm sure you know that RSA Netwitness for Logs and Packets includes the ability to register for a Cisco AMP ThreatGrid API Key through RSA's partnership with Cisco AMP ThreatGrid. You can use this API key to enable sandbox analysis with the RSA NetWitness Malware Analysis service. If you haven't done so already, check out the documentation here MA: (Optional) Register for a ThreatGrid API Key for details on how to register.
What you may not know, is that you can also use that API key to download Cisco AMP ThreatGrid's Intelligence Feeds. Every hour or so, Cisco AMP ThreatGrid takes the artefacts from their sandbox analysis and create 15 Intelligence Feeds - we can use 12 of them directly in RSA NetWitness for Logs and Packets. It's easy to set these up as feeds using the Custom Feed Wizard in RSA NetWitness Logs and Packets.
Once you have your Cisco AMP ThreatGrid API key and login details, login to the portal, and click on the Help icon to access the Feeds Documentation. It will be in the middle of the page:
Follow the Cisco AMP ThreatGrid documentation to see which feeds make sense for your environment. At the time of writing, there are 15 feeds available. The feeds that end with -dns are feeds that match on a DNS lookup for a host - these are the feeds that we will integrate with RSA NetWitness for Logs and Packets:
The format for the URL to retrieve the feed is quite simple:
Make sure you select Recurring as the "Feed Task Type" - this will let you download the feed directly from Cisco AMP ThreatGrid - and set the "Recur Every" variable to 1 hour for fresh feeds:
Click the Verify button to make sure RSA NetWitness can connect to the URL and get the green tick:
Next, choose which of your Decoders to apply this feed to. It will work for both Packet and Log Decoders (but it's always a good idea to test first before rolling into production!):
Next, we get to define how to use the data in the feed. This will be a Non-IP feed (we want to match on the hostname in the feed), the Index will be in column 2 (the hostname), and the Callback Key (the key we want to match against) will be alias.host.
The other columns can be mapped to whatever meta keys you want to use in your environment. For my example, I used:
threat.desc - Threat Description for the first column as I often use the Threat Keys (threat.source, threat.desc, threat.cat) for reviewing data
alias.ip - this is the IP address that the hostname resolved to when the feed was created. For a more advanced implementation of this feed you may want to investigate how to create a feed with multiple indexes
tg.date - the date of the feed
tg.analysis - a link to the Cisco AMP ThreatGrid portal for analysis of the hostname
tg.sample - a link to the Cisco AMP ThreatGrid portal for a malware sample
tg.md5 - MD5 hash
tg.sha256 - SHA256 hash
tg.sha1 - SHA1 hash
(None of these new keys need to be indexed (unless you want to) so there is no need to modify the index-concentrator-custom.xml files).
Next, review your settings:
When finished, confirm that your feed ran:
Repeat this process for each of the feeds that you want to integrate:
The last (optional) step, is to create an Application Rule that will label the Threat Source that this feed comes from. We can simply check for the tg.analysis key to see if any of our feeds have triggered:
Rule Name - Cisco AMP ThreatGrid
Condition - tg.analysis exists
Alert on - threat.source
Now we can simply search for threat.source = 'cisco amp threatgrid' to find any hits.