1 2 3 Previous Next 24 Replies Latest reply on Jul 14, 2016 11:33 PM by hannes

    Cyber Threat Feeds

    otsruss

      I have been testing the new 9.5.0 “Cyber Threat Feeds” functionality, and am looking for feedback. I have created several partner feeds (TAXII) to pull indicators and populate Watchlists by type.  As expected, we can utilize the Watchlists in correlation rules, filters, etc., but I am more interested in new functionality. Some observations:

       

      1)      1) A back trace search is done for each individual observable in an indicator. For example; An indicator contains MD5 and FileName. The back trace will search for each MD5 and each FileName. Would an indicator to correlation rule make more sense?  

      2)      2) I have developed a process to create STIX formatted indicators from SIEM alarms and push to a TAXII feed. Should this not be an alarm option?

      3)     

      Tw     3) Two-Way SSL support for feeds?

       

      All in all, the new “Cyber Threat Feeds” functionality is a step in the right direction.

       

      Comments?

       

      Regards,

       

      Joe

        1 2 3 Previous Next