Analyst1 Indicator

The Analyst1 Indicator integration is designed to fetch data from a specified sensor, of type “Indicator”, within the Analyst1 platform.

If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings

Once downloaded, the data will be merged with all other intel files (if there are any), and published. If “intel” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.

Analyst1 indicator types and fields will be mapped to the following:

Analyst1 Indicator type mapping

Analyst1 Indicator Type

Zeek Indicator Type

ip

Intel::ADDR

ipv6

Intel::ADDR

file

Intel::File_HASH

email

Intel::EMAIL

httpRequest

Intel::URL

url

Intel::URL

domain

Intel::DOMAIN

Analyst1 Indicator field mapping

Intel File Field

Analyst1 Field

Description

indicator

value.name

The indicator value.

indicator_type

type

Based on indicator type map listed above.

meta.source

sources.title

The Source of the indicator.

meta.desc

description

The detailed description of the indicator.

meta.url

construct from user config and indicator id

URL from user config.

meta.do_notice

From user config

From user config.

meta.confidence

confidenceLevel

The indicator’s confidence level (by default indicators have no confidence level; if set it was set by an analyst).

meta.threat_score

not available

meta.risk_score

indicatorRiskScore

The indicator risk score.

meta.verdict

construct from Benign

The indicator’s benign status (by default indicators are not benign and assumed an indicator of compromise).

meta.verdict_source

not available

meta.firstseen

activityRange.startDate

The start date for activity associated with the indicator.

meta.lastseen

activityRange.endDate

The latest date for activity associated with the indicator.

meta.associated

targets, attackPatterns, actors, malwares

The targets, attack patterns, actors, and malwares associated with the indicator.

meta.category

not available

meta.campaigns

not available

meta.reports

reportCount

The count of evidence files associated to the indicator as of the request.

Settings

analyst1_indicator:
    client_id: ""                  # Analyst1 API Client ID
    client_secret: ""              # Analyst1 API Secret
    url: ""                        # Analyst1 Base URL
    interval_hours: 1
    enabled: false
    intel_sensor_id: 0             # Sensor ID
    debug: false
    ignore_tls: false
    request_limit: 1000
    do_notice_ipv4: false
    do_notice_ipv6: false
    do_notice_file: false
    do_notice_email: false
    do_notice_domain: false
    do_notice_httpRequest: false
    do_notice_url: false

The following is a sample input file created by this integration, using tab-separated values.

#fields       indicator       indicator_type  meta.source     meta.desc       meta.url        meta.do_notice  meta.confidence meta.threat_score       meta.risk_score meta.verdict    meta.verdict_source     meta.firstseen  meta.lastseen   meta.associated meta.category   meta.campaigns  meta.reports
0B680E7BD5C0501D5DD73164122A7FAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA      Intel::FILE_HASH        ThreatExpert    Backdoor.Trojan [Symantec], Trojan.Win32.Agent2.lpa [Kaspersky Lab], Troj/Dloadr-DCE [Sophos], Trojan.Win32.Agent [Ikarus],     https://partner.cloud.analyst1.com/indicators/2702      F       high    -       High    malicious       -       -       -       Actor:COMMENT PANDA; Attack Pattern:Credential Access - Credentials from Password Stores: Credentials from Web Browsers [T1555.003]; Target:No Target/Victim    -       -       -
0B680E7BD5C0501D5DD73164122A7FAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA      Intel::FILE_HASH        Mandiant Blog   Backdoor.Trojan [Symantec], Trojan.Win32.Agent2.lpa [Kaspersky Lab], Troj/Dloadr-DCE [Sophos], Trojan.Win32.Agent [Ikarus],     https://partner.cloud.analyst1.com/indicators/2702      F       high    -       High    malicious       -       -       -       Actor:COMMENT PANDA; Attack Pattern:Credential Access - Credentials from Password Stores: Credentials from Web Browsers [T1555.003]; Target:No Target/Victim    -       -       -
ocry.com      Intel::DOMAIN   SecureList      This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333      https://partner.cloud.analyst1.com/indicators/62490     F       high    -       High    malicious       -       2013-09-09      2021-10-05      Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry     -       -       -
ocry.com      Intel::DOMAIN   Symantec        This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333      https://partner.cloud.analyst1.com/indicators/62490     F       high    -       High    malicious       -       2013-09-09      2021-10-05      Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry     -       -       -
ocry.com      Intel::DOMAIN   APTgroups       This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333      https://partner.cloud.analyst1.com/indicators/62490     F       high    -       High    malicious       -       2013-09-09      2021-10-05      Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry     -       -       -
ocry.com      Intel::DOMAIN   phishtank.com   This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333      https://partner.cloud.analyst1.com/indicators/62490     F       high    -       High    malicious       -       2013-09-09      2021-10-05      Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry     -       -       -
ocry.com      Intel::DOMAIN   AlienVault (user_AlienVault)    This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333      https://partner.cloud.analyst1.com/indicators/62490     F       high    -       High    malicious       -       2013-09-09      2021-10-05      Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry     -       -       -
dedydns.ns01.us       Intel::DOMAIN   Fireeye dedydns.ns01.us from https://otx.alienvault.com/pulse/5c594bbd4b460c40f8b4a223  https://partner.cloud.analyst1.com/indicators/62675     F       high    -       Unknown malicious       -       2013-09-11      2013-09-11      Actor:Nitro; Actor:STONE PANDA; Malware:PoisonIvy; Malware:PlugX        -       -       -
dedydns.ns01.us       Intel::DOMAIN   APTgroups       dedydns.ns01.us from https://otx.alienvault.com/pulse/5c594bbd4b460c40f8b4a223  https://partner.cloud.analyst1.com/indicators/62675     F       high    -       Unknown malicious       -       2013-09-11      2013-09-11      Actor:Nitro; Actor:STONE PANDA; Malware:PoisonIvy; Malware:PlugX        -       -       -
dedydns.ns01.us       Intel::DOMAIN   AlienVault (user_AlienVault)    dedydns.ns01.us from https://otx.alienvault.com/pulse/5c594bbd4b460c40f8b4a223  https://partner.cloud.analyst1.com/indicators/62675     F       high    -       Unknown malicious       -       2013-09-11      2013-09-11      Actor:Nitro; Actor:STONE PANDA; Malware:PoisonIvy; Malware:PlugX        -       -       -
msftncsl.com  Intel::DOMAIN   Fireeye -       https://partner.cloud.analyst1.com/indicators/71036     F       high    -       Unknown malicious       -       2014-09-04      2014-09-04      Actor:GREF Team; Malware:PlugX  -       -       -
microsoftsp3.com      Intel::DOMAIN   Fireeye -       https://partner.cloud.analyst1.com/indicators/71064     F       high    -       Unknown malicious       -       2014-09-04      2014-09-04      Actor:GREF Team; Malware:PlugX  -       -       -
microsoftsp3.com      Intel::DOMAIN   Sophos  -       https://partner.cloud.analyst1.com/indicators/71064     F       high    -       Unknown malicious       -       2014-09-04      2014-09-04      Actor:GREF Team; Malware:PlugX  -       -       -
attoo1s.com   Intel::DOMAIN   Fireeye -       https://partner.cloud.analyst1.com/indicators/71098     F       high    -       Unknown malicious       -       2014-09-04      2014-09-04      Actor:GREF Team; Malware:PlugX  -       -       -

Intel log

This integration will enrich the intel.log with content like the following:

  {
    "@path":"intel",
    "@sensor":"Lab-AP200",
    "@timestamp":"2023-01-06T05:13:38.841292Z",
    "ts":"2023-01-06T05:13:38.841292Z",
    "uid":"CNh51N3dSRfMZG1Pt4",
    "id.orig_h":"195.133.40.86",
    "id.orig_p":64910,
    "id.resp_h":"192.168.13.20",
    "id.resp_p":80,
    "seen.indicator":"77.247.181.165",
    "seen.indicator_type":"Intel::ADDR",
    "seen.where":"Conn::IN_ORIG",
    "matched": [
      "Intel::ADDR"
    ],
    "sources": [
      "blocklist_de",
      "cinsscore_ci_badguys",
      "blocklist_net_ua",
      "Mandiant",
      "dshield_block"
    ],
  }

If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following: (all indicators will not have all fields)

  {
    "confidence": [99],
    "threat_score": [100],
    "verdict": ["malicious"],
    "verdict_source": ["analystVerdict"],
    "desc": ["Mandiant Threat Intellegence"]
    "lastseen": ["2023-01-03T16:10:54Z"],
    "firstseen": ["2021-03-20T10:10:01Z"],
    "url": ["https://advantage.mandiant.com/"],
    "reports": ["ID:23-00000242, Type:News Analysis"],
    "campaigns": [],
    "associated": [
      "ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
    ],
    "category": [
      "exploit",
      "exploit/vuln-scanning, exploit"
    ],
  }