How does Threat Stack’s Threat Intelligence Feature work ?
Threat Stack’s Threat Intelligence feature correlates the outgoing and incoming IPs out of the host with the Threat Stack curated IP list from various sources.
What are the sources of the IP lists ?
We have both open source and commercial sources
- Partial open source list
- https://zeustracker.abuse.ch/blocklist.php (Zeus IP Blocklist)
- Partial commercial source list
- Iblocklist: iblocklist.com/lists
What are the Configuration Steps ?
The default threat intelligence rule that comes right off the box captures outgoing traffic (type=“connect”) and generates a severity 1 alert. The configuration involves three simple steps
- Enable the threat intelligence rule under rule sets (please contact support if you do not see the rule set)
- Tweak the rule for the right severities and filters (ex - you want to add capture incoming traffic as well and change severities on that)
- Associate the rule set with servers you want to see alerts on
Customers can also create new custom rules by following the below steps.
Creating New Threat Intelligence Rules
Customers can create custom threat intelligence rules (click add new threat intelligence rule) based on the below filter keys.
- network event types (type = “connect” or type = “accept”)
- threatintel_source: The fields here are
- scanning host
- spamming host
- malicious host
A custom filter might looks like
type=“connect” and threatintel_reason=“malicious host”
Please select aggregations for the alert title to work.
An example is below.
Where do you see the results ?
Similar to other features, threat intelligence features is manifested at three places - alerts, events and widgets.
We generate an event of type threatintel (event_type="threatintel") when there is a IP match with any of the bad IP lists. The event has information on whether the connections is a inbound or outbound, the source of the threat intelligence and the reason. The user can search for any of the corresponding fields as the below examples illustrate.
Alerts will be generated if theres a match and you would see them on the alerts screen. The text filtering for the alerts would the “threat intelligence”
After you click on the alert, you would see the contributing event, you would see the details related to the match - the source, the reason and the type.
The threat intelligence activity widget will show the matched IPs for both incoming and outgoing connections , default to incoming connections.