Using Threat Intelligence

Video Activity

InsightIDR relentlessly hunts threats in your environment with a combination of user behavior analytics, endpoint detection, and deception technology. You can also add your own threat intelligence and subscribe to community feeds. In this video, learn how to add intelligence, share it with the community, and investigate generated alerts in InsightI...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
24 minutes
Difficulty
Beginner
Video Description

InsightIDR relentlessly hunts threats in your environment with a combination of user behavior analytics, endpoint detection, and deception technology. You can also add your own threat intelligence and subscribe to community feeds. In this video, learn how to add intelligence, share it with the community, and investigate generated alerts in InsightIDR.

Video Transcription
00:04
>> Hi, I'm Eric Sun.
00:04
In this solution short,
00:04
let's look at how you can add threat intelligence
00:04
>> in the InsightIDR to receive and investigate alerts.
00:04
>> From the main dashboard,
00:04
let's head to the Investigations page.
00:04
This is where all of
00:04
your alerts will automatically populate with
00:04
contexts on the users and the assets at fault.
00:04
Any alerts generated from
00:04
your threat intelligence will appear here.
00:04
Let's start by heading to Configure Threats.
00:04
On this page we'll first see all of our threat feeds
00:04
>> which include the ones that we have created,
00:04
>> as well as those that we've subscribed to
00:04
>> and then clicking on "Subscribes"
00:04
>> or "Own Threats" allows you to drill deeper.
00:04
>> You can also sort by newest, most alerts generated,
00:04
organizations subscribed to the intelligence even,
00:04
the number of false positives reported.
00:04
Next to that there's a search function to also
00:04
help you filter through your feeds.
00:04
Let's take a look at adding a good threat intel source
00:04
>> by clicking on "Add Threat".
00:04
>> In this box you can manually
00:04
>> enter or copy domain names,
00:04
>> hashes, IP addresses, and URLs.
00:04
For example, I received
00:04
some information about Operation Ghoul
00:04
>> which is a targeted malware attack on
00:04
>> industrial and engineering organizations.
00:04
In this report, there are a couple of
00:04
MD5 hashes that are identified.
00:04
Let's go ahead and add them to InsightIDR.
00:04
For proper ingestion,
00:04
just make sure that each indicator is either
00:04
separated by commas without spaces or a line break
00:04
>> and I can also directly upload a file as well.
00:04
>> I have it here as a TXT
00:04
>> and so it can accept texts,
00:04
>> Excel and CSV files.
00:04
After that, let's go ahead and add in a name
00:04
as well as description.
00:04
It's important to carefully note this context
00:04
behind your intelligence so that if an alert fires,
00:04
you know the source that it's coming from.
00:04
We'll go ahead and save this
00:04
and now it appears right at the top of the list.
00:04
You can hit view for more details including
00:04
things like how many alerts
00:04
have been generated as a result,
00:04
as well as an audit history.
00:04
If it's modified later on
00:04
>> you have that full audit trail.
00:04
>> You can export the data as a CSV file
00:04
>> and you can also toggle
00:04
>> if you'd like it to be public or private.
00:04
>> If it's public, it means that
00:04
the InsightIDR community can subscribe to it
00:04
and so it's a great way
00:04
>> to share threat intelligence with others.
00:04
>> Here, going back to threats
00:04
and checking out the threat community,
00:04
I can see what's available,
00:04
view the intelligence,
00:04
then also subscribe to it.
00:04
Here there are things like seven organizations
00:04
tracking and I can view or subscribe accordingly.
00:04
Finally, let's take a look at
00:04
>> an alert that's generated.
00:04
>> Heading back to the Investigations page,
00:04
we have it filtered down to threat intelligence alerts.
00:04
We have two that are network access for threat.
00:04
Clicking into it, it's automatically
00:04
pre-populated with the users
00:04
involved, the assets involved,
00:04
and the alert is denoted by the red lightning bolt
00:04
>> and so we can see there's been
00:04
>> inbound firewall traffic from an IP that
00:04
matches a threat intelligence source
00:04
that we have in InsightIDR.
00:04
From there you can pull an additional evidence
00:04
>> to see all the information available
00:04
>> and what's also nice is that you get
00:04
>> the notable behaviors associated
00:04
>> with the users and assets involved.
00:04
>> We automatically have the context that
00:04
the previous day a virus alert
00:04
>> triggered for that asset.
00:04
>> That's it for threat intelligence
00:04
>> in this solution short.
Up Next