search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.77k stars 8.17k forks source link

[Feature Request][Threat Intel] - Provide an interface for users to upload IOCs to threat intel indices #150140

Open aarju opened 1 year ago

aarju commented 1 year ago

Describe the feature: Within the Security solution's Intelligence tab there should be a way to manually upload indicators to be added to the Threat Intel index pattern.

From within the Security solution there should also be a quick way to select a field in an alert or case and add that field as an indicator to the threat intel index.

Describe a specific use case for the feature:

  1. While responding to alerts a SOC Analyst identifies a malicious ip address and they want to quickly create an alert to any future activity to that IP address. They can tag the IP as an IOC in a case, add a description, TLP, and Confidence level, and that IP is automatically added to the Threat Intel index pattern for use in the Indicator match rules.
  2. A Threat Intel analyst is provided with a list of 100 File Hashes that are TLP:Red and are not included in any of the public threat feeds. They need to add all 100 file hashes to the threat intel index pattern without adding them to any other systems due to their sensitivity. They can use the bulk upload feature to paste a newline delimited list of file hashes to have them all ingested to the threat intel index with the same description and TLP settings.
aarju commented 1 year ago

@MikePaquette @peasead we are currently building out our own version of this feature, but it would be great if this was built into the security solution.

elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

peasead commented 1 year ago

@dhru42 is focused on some of these intersecting efforts. Tagging for visibility.