Time
24 minutes
Difficulty
Beginner

Video Description

InsightIDR relentlessly hunts threats in your environment with a combination of user behavior analytics, endpoint detection, and deception technology. You can also add your own threat intelligence and subscribe to community feeds. In this video, learn how to add intelligence, share it with the community, and investigate generated alerts in InsightIDR.

Video Transcription

00:05
Hi, I'm Eric son in this solution Short. Let's look at how you can add threat Intelligence inside. Heidi are to receive and investigate alerts
00:15
from the main dashboard. Let's head to the investigations page.
00:20
This is where all of your alerts will automatically populate with context on the users and the assets of fault.
00:27
Any alerts generated from your threat intelligence will appear here.
00:31
Let's start by heading to configure threats
00:35
on this page will first see all of our threat feeds, which include the ones that we have created, as was those that we have subscribed to. And then clicking on subscribes or own threats allows you to drill deeper.
00:49
You can also short by newest. Most alerts generated organization subscribed to the intelligence, even the number of most, uh, number of false positives reporter.
01:02
And so next to that, there's a search function to also help you filter through your feeds. So let's take a look at adding a good threat. Intel source by clicking on at threat
01:12
and so in this box you can manually enter copy
01:18
Dellin names, hashes I P addresses in murals. So, for example, I received some information about Operation Cool, which is a targeted now attack on industrial and engineering organizations. In this report, there are a couple of 75 hashes that are identified, so let's go ahead and add them
01:37
to incite I D. R.
01:38
And so, for proper ingestion, just make sure that each indicator is either separated by commas without spaces or a line break, and I can also directly upload a file as well. So I have it here as a T X T, and so it can accept text, Excel and CSC files.
01:57
After that, let's go ahead and add in a
02:02
as well as a
02:15
A zit was a description. So it's important to carefully note this context behind your intelligence that if an alert fires, you know the source that is coming from,
02:24
well, go ahead and save this.
02:27
And now it's appears right at the top of the list so you can hit view for more details, including things like how many alerts have been generated. As a result,
02:37
a CZ was an audit history. So if it's modified, the leader on you have that full audit trail. You can export the data as a CSC file, and you can also toggle if you'd like it to be public or private.
02:52
And so if it's public, it means that the insight idea our community can subscribe to it. And so it's a great way to share threat intelligence with others. So here, going back to threats and checking up the threat community, I can see what's available. View the intelligence
03:10
on, then also subscribed to it. And so here they're things like seven organizations tracking I can view or subscribe. According
03:20
Finally, let's take a look at an alert that's generated so heading back to the investigations page, we have it filtered down to
03:28
threat intelligence alerts, so we have to better network access for threat.
03:35
So clicking into it, it's automatically pre populated with the user's involved the assets involved and the alert is denoted by the red lightning bolt on so we can see there's been inbound firewall traffic from an I P that matches a threat intelligence source that we haven't inside. I tr.
03:53
So from there you can pull in additional evidence to see all the information available.
04:00
And what's also nice is that you get the notable behaviors associated with the users and assets involved. So we automatically have the context that the previous stay a virus alert triggered for that house up.
04:14
So that's after for threat intelligence in this solution short.

Up Next