SIEM Foundations: Threat Feeds in ESM 10x

Version 3

    Overview

    When using a SIEM to identify compromised systems and emerging threats, it's important to have visibility into where threats are located in the greater world.  McAfee's Global Threat Intelligence (GTI) provides one constantly updated, rich feed for ESM that enhances situational awareness by highlighting events involving communications with suspicious or malicious IPs.  In today's rapidly moving threat landscape, many customers find it advantageous to leverage multiple threat feeds to provide additional insights. 

     

    In this module, we'll show one way to bring 3rd party threat feeds into the SIEM, and leverage them for improved awareness of potential threats to your enterprise.  We will focus on simple, manual techniques initially, to help provide quick value in your deployment.

     

    Importing Threat Feeds

    The most common way to integrate threat feeds into the McAfee SIEM is as a watchlist.  Watchlists allow the SIEM to maintain state of the world around it, and are easily incorporated into a wide range of SIEM workflows.  Watchlists are easy to create and maintain manually, and also have a wide range of tools available to automate updates over time.  To view, create, and edit watchlists, select Watchlists, under the drop-down menu located in the top-left corner.

     

    By default, if you have licensed the McAfee GTI threat feed, you should see the following 2 watchlists:

     

     

     

     

    These watchlists are automatically maintained by the ESM, and are updated daily.  They are incorporated into a range of pre-defined correlation rules, as well as various dashboards and reports.  In our example, we will augment McAfee GTI with a list of known bad IP addresses obtained from open public sources.  Below you'll find several examples of lists you might leverage.

     

    http://malc0de.com/bl/IP_Blacklist.txt

    https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

    https://zeustracker.abuse.ch/blocklist.php?download=badips

    https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist

    https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist

    https://feodotracker.abuse.ch/blocklist/?download=ipblocklist

    http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv

    https://isc.sans.edu/ipsascii.html?limit=500

     

    To manually create a watchlist from 3rd party threat intelligence:

    1. Identify the threat feed source of your choice.  To simplify the creation of the watchlist, we will need a simple list of items, one per line.  Many of the selections above provide such a format by default.  Some would require a minor amount of text manipulation in order to get the watchlist in the required format.


    2. Open your desired list in your browser or a text editor, select the list, and Copy it into your paste buffer. 

     

    3. Open up the Watchlist interface, and select Add.

     

    4. Provide a name for your watchlist and click Next.

    5. On the Values tab, paste in the values you copied earlier.  If you have a local text file for your threat data, you might also find it more convenient to leverage the Import function here.


    6. Click Finish to save your watchlist.

    Using Threat Feeds as Filters

    Once your threat feed is imported as a watchlist, you might start by using it as a filter on a dashboard of your choice.  If this example we'll use it to see what events we have in our environment that have Source IPs or Dest IPs associated with hosts on the Malc0de list.

     

    1. We will start by opening the Normalized Dashboard (Dashboard Views/Normalized Dashboard).

     

    2. In the Filter Sets on the right side, click Manage Field Sets and it will launch the Configuration tab.

    3. Let’s create a new Filter Set selecting Add Filter Set

     

    4. Click the funnel icon for Source IP, and select the Watchlist tab.

    5. Select your previously created watchlist and click OK.


    6. You will see all your IP address watchlists displayed.  Select the one you created above and click OK.

     

    7. Do the same for Destination IP, and also click the "or" icon for each field, if needed.

     

    8. Enter a new name for your filter

    9. Go back to the Normalized Dashboard and under the Field Sets click on your new filter.

    10. Your new filter will highlight all events where the Source IP OR Destination IP is on our threat feed watchlist.  Hit Magnifier Lens to apply the filter to your view.

    11. Your view will update to show the filtered events.


    This shows just a simple example of using watchlists as a filter.  You might like to create a custom view that incorporates a filter like this directly, making it easy to examine events from bad systems with a single click, or incorporate the watchlist as a filter in a regular report.

     

    Using Threat Feeds in Alarms and Correlation Rules

    Using a threat feed watchlist as a filter is useful in situations where you have analysts monitoring dashboards, or reviewing reports.  However, watchlists are also very useful in alarms and correlation rules.  Certain threat feeds are critical enough that any hit might warrant immediate notifications and action.  Incorporating threat feed watchlists into correlation rules allow us to identify conditions that will trigger events in a more automated fashion, and make your SIEM more proactive and intelligent.

     

    We will cover Alarming and Correlation Rule Tuning elsewhere.  Below you'll find examples displaying methods you might use your new threat feeds to automate notifications and analysis.

    Example: Alarm on any event to or from a known Malc0de IP

     

    Example: Correlation rule that triggers based on regular, repeated events or flows to or from a known Malc0de IPs