Analyst1 Indicator¶
The Analyst1 Indicator integration is designed to fetch data from a specified sensor, of type “Indicator”, within the Analyst1 platform.
If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See General settings
Once downloaded, the data will be merged with all other intel files (if there are any), and published. If “intel” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Analyst1 indicator types and fields will be mapped to the following:
Analyst1 Indicator Type |
Zeek Indicator Type |
---|---|
ip |
Intel::ADDR |
ipv6 |
Intel::ADDR |
file |
Intel::File_HASH |
Intel::EMAIL |
|
httpRequest |
Intel::URL |
url |
Intel::URL |
domain |
Intel::DOMAIN |
Intel File Field |
Analyst1 Field |
Description |
---|---|---|
indicator |
value.name |
The indicator value. |
indicator_type |
type |
Based on indicator type map listed above. |
meta.source |
sources.title |
The Source of the indicator. |
meta.desc |
description |
The detailed description of the indicator. |
meta.url |
construct from user config and indicator id |
URL from user config. |
meta.do_notice |
From user config |
From user config. |
meta.confidence |
confidenceLevel |
The indicator’s confidence level (by default indicators have no confidence level; if set it was set by an analyst). |
meta.threat_score |
not available |
|
meta.risk_score |
indicatorRiskScore |
The indicator risk score. |
meta.verdict |
construct from Benign |
The indicator’s benign status (by default indicators are not benign and assumed an indicator of compromise). |
meta.verdict_source |
not available |
|
meta.firstseen |
activityRange.startDate |
The start date for activity associated with the indicator. |
meta.lastseen |
activityRange.endDate |
The latest date for activity associated with the indicator. |
meta.associated |
targets, attackPatterns, actors, malwares |
The targets, attack patterns, actors, and malwares associated with the indicator. |
meta.category |
not available |
|
meta.campaigns |
not available |
|
meta.reports |
reportCount |
The count of evidence files associated to the indicator as of the request. |
Settings¶
analyst1_indicator: client_id: "" # Analyst1 API Client ID client_secret: "" # Analyst1 API Secret url: "" # Analyst1 Base URL interval_hours: 1 enabled: false intel_sensor_id: 0 # Sensor ID debug: false ignore_tls: false request_limit: 1000 do_notice_ipv4: false do_notice_ipv6: false do_notice_file: false do_notice_email: false do_notice_domain: false do_notice_httpRequest: false do_notice_url: false
The following is a sample input file created by this integration, using tab-separated values.
#fields indicator indicator_type meta.source meta.desc meta.url meta.do_notice meta.confidence meta.threat_score meta.risk_score meta.verdict meta.verdict_source meta.firstseen meta.lastseen meta.associated meta.category meta.campaigns meta.reports
0B680E7BD5C0501D5DD73164122A7FAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Intel::FILE_HASH ThreatExpert Backdoor.Trojan [Symantec], Trojan.Win32.Agent2.lpa [Kaspersky Lab], Troj/Dloadr-DCE [Sophos], Trojan.Win32.Agent [Ikarus], https://partner.cloud.analyst1.com/indicators/2702 F high - High malicious - - - Actor:COMMENT PANDA; Attack Pattern:Credential Access - Credentials from Password Stores: Credentials from Web Browsers [T1555.003]; Target:No Target/Victim - - -
0B680E7BD5C0501D5DD73164122A7FAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Intel::FILE_HASH Mandiant Blog Backdoor.Trojan [Symantec], Trojan.Win32.Agent2.lpa [Kaspersky Lab], Troj/Dloadr-DCE [Sophos], Trojan.Win32.Agent [Ikarus], https://partner.cloud.analyst1.com/indicators/2702 F high - High malicious - - - Actor:COMMENT PANDA; Attack Pattern:Credential Access - Credentials from Password Stores: Credentials from Web Browsers [T1555.003]; Target:No Target/Victim - - -
ocry.com Intel::DOMAIN SecureList This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333 https://partner.cloud.analyst1.com/indicators/62490 F high - High malicious - 2013-09-09 2021-10-05 Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry - - -
ocry.com Intel::DOMAIN Symantec This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333 https://partner.cloud.analyst1.com/indicators/62490 F high - High malicious - 2013-09-09 2021-10-05 Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry - - -
ocry.com Intel::DOMAIN APTgroups This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333 https://partner.cloud.analyst1.com/indicators/62490 F high - High malicious - 2013-09-09 2021-10-05 Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry - - -
ocry.com Intel::DOMAIN phishtank.com This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333 https://partner.cloud.analyst1.com/indicators/62490 F high - High malicious - 2013-09-09 2021-10-05 Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry - - -
ocry.com Intel::DOMAIN AlienVault (user_AlienVault) This URL:[http://voeazulpontos.ocry.com/tudoazul/7GMYxQRnSq] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-01-27T16:34:49+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=4773333 https://partner.cloud.analyst1.com/indicators/62490 F high - High malicious - 2013-09-09 2021-10-05 Actor:COMMENT PANDA; Actor:PIRATEPANDA; Actor:yalishanda; Target:No Target/Victim; Target:Financial Industry; Target:Government Industry; Target:Aerospace Industry - - -
dedydns.ns01.us Intel::DOMAIN Fireeye dedydns.ns01.us from https://otx.alienvault.com/pulse/5c594bbd4b460c40f8b4a223 https://partner.cloud.analyst1.com/indicators/62675 F high - Unknown malicious - 2013-09-11 2013-09-11 Actor:Nitro; Actor:STONE PANDA; Malware:PoisonIvy; Malware:PlugX - - -
dedydns.ns01.us Intel::DOMAIN APTgroups dedydns.ns01.us from https://otx.alienvault.com/pulse/5c594bbd4b460c40f8b4a223 https://partner.cloud.analyst1.com/indicators/62675 F high - Unknown malicious - 2013-09-11 2013-09-11 Actor:Nitro; Actor:STONE PANDA; Malware:PoisonIvy; Malware:PlugX - - -
dedydns.ns01.us Intel::DOMAIN AlienVault (user_AlienVault) dedydns.ns01.us from https://otx.alienvault.com/pulse/5c594bbd4b460c40f8b4a223 https://partner.cloud.analyst1.com/indicators/62675 F high - Unknown malicious - 2013-09-11 2013-09-11 Actor:Nitro; Actor:STONE PANDA; Malware:PoisonIvy; Malware:PlugX - - -
msftncsl.com Intel::DOMAIN Fireeye - https://partner.cloud.analyst1.com/indicators/71036 F high - Unknown malicious - 2014-09-04 2014-09-04 Actor:GREF Team; Malware:PlugX - - -
microsoftsp3.com Intel::DOMAIN Fireeye - https://partner.cloud.analyst1.com/indicators/71064 F high - Unknown malicious - 2014-09-04 2014-09-04 Actor:GREF Team; Malware:PlugX - - -
microsoftsp3.com Intel::DOMAIN Sophos - https://partner.cloud.analyst1.com/indicators/71064 F high - Unknown malicious - 2014-09-04 2014-09-04 Actor:GREF Team; Malware:PlugX - - -
attoo1s.com Intel::DOMAIN Fireeye - https://partner.cloud.analyst1.com/indicators/71098 F high - Unknown malicious - 2014-09-04 2014-09-04 Actor:GREF Team; Malware:PlugX - - -
Intel log¶
This integration will enrich the intel.log with content like the following:
{
"@path":"intel",
"@sensor":"Lab-AP200",
"@timestamp":"2023-01-06T05:13:38.841292Z",
"ts":"2023-01-06T05:13:38.841292Z",
"uid":"CNh51N3dSRfMZG1Pt4",
"id.orig_h":"195.133.40.86",
"id.orig_p":64910,
"id.resp_h":"192.168.13.20",
"id.resp_p":80,
"seen.indicator":"77.247.181.165",
"seen.indicator_type":"Intel::ADDR",
"seen.where":"Conn::IN_ORIG",
"matched": [
"Intel::ADDR"
],
"sources": [
"blocklist_de",
"cinsscore_ci_badguys",
"blocklist_net_ua",
"Mandiant",
"dshield_block"
],
}
If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following: (all indicators will not have all fields)
{
"confidence": [99],
"threat_score": [100],
"verdict": ["malicious"],
"verdict_source": ["analystVerdict"],
"desc": ["Mandiant Threat Intellegence"]
"lastseen": ["2023-01-03T16:10:54Z"],
"firstseen": ["2021-03-20T10:10:01Z"],
"url": ["https://advantage.mandiant.com/"],
"reports": ["ID:23-00000242, Type:News Analysis"],
"campaigns": [],
"associated": [
"ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
],
"category": [
"exploit",
"exploit/vuln-scanning, exploit"
],
}