CyberKaizen
commented
3 months ago @SamuelHassine There are a variety of EDR, SQL, SIEM queries that are used or created for investigations or deployment to their respective platforms. It would be great if we could support those queries and have them as Indicators.
When performing automations to retrieve those rules/queries and deploy them we found the Observable Text entity insufficient, because not only can you not read the whole query, you also do not have enough fields to use it for automation.
Hence why I think they need to be supported as an Indicator in OCTI. I highly recommend looking at YETI as a great example of how they support this.
The current workaround today is to store the detection queries not supported as an Indicator as a Notes entity.
I think OCTI and the Filigran team would have less issues and less dev work around this. If we were allowed to save any kind of formatted detection query.
In addition to that, to help filter or distinguish them there could be a taxonomy that can be added to that describes what kind of detection query or rule it is. One could also simple make it be a pattern type of "Query" and the user can use labeling to define what kind of query it is.
Attached is a picture of our current workaround method, because OCTI does not support it today.
Use case
Having a way better way to handle detection signatures in the platform: management, versioning, conversion, testing the efficiency, sighting-centric, etc. Have a clear overview of where this is deployed etc.
Issues
7302
7303