Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Threat intel monitor is a job that runs periodically to scan the configured customer data for malicious indicators. It's corpus of malicious indicators is a list of system indices containing threat intel data curated from the configured threat intelligence source configs.
We refer threat intel source configs that are in AVAILABLE or REFRESHING state.
we fetch the ioc system indices mentioned in these TIF source configs for corpus of indicators.
Threat intel monitor does the following steps when it runs:
fetch configs
get ioc indices for each ioc type
fetch documents since last seen seq_no for the assigned data sources
extract iocs from docs from configured fields for each ioc type
search for extracted ioc list with terms query in batches of MAX_TERMS_SETTING against the ioc indices
create Findings fi there are malicious iocs in data matched against threat intel sysytem indices
TODO: pending alert triggers and notifications
Issues Resolved
[List any issues this PR will resolve]
Check List
[ ] New functionality includes testing.
[ ] All tests pass
[ ] New functionality has been documented.
[ ] New functionality has javadoc added
[ ] Commits are signed per the DCO using --signoff
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.
Description
Threat intel monitor is a job that runs periodically to scan the configured customer data for malicious indicators. It's corpus of malicious indicators is a list of system indices containing threat intel data curated from the configured threat intelligence source configs.
We refer threat intel source configs that are in AVAILABLE or REFRESHING state. we fetch the ioc system indices mentioned in these TIF source configs for corpus of indicators. Threat intel monitor does the following steps when it runs:
TODO: pending alert triggers and notifications
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.