Hi All,
Struggling to find "graph.metadata.threat.threat_feed_name" for info stealers. Also , how to get those list of threat feeds , we can leverage. for both VT and Mandiant.
Thanks in advance
Question
VT and Mandiant TI threat feeds list
+4- Bronze 4
Hi @Mufa_shah we´ve also been struggeling to find out what´s inside the global context graph. I had the privilege to attend a Google SecOps Bootcamp few months ago and I was asking the same question, but didn´t get an answer.
As of now, there´s no official documentation available. Personally I think there´s a lot happening right now as the Mandiant feeds and other open source feeds are integrated. Also Google Threat Intelligence is launching.
So I think this is a moving target.
+22When you say infostealer, I'm not sure what data feed that would be to point you in the right direction. Was this something someone characterized to you?
We have a few blogs on some of the threat intel sources listed below as well as some sample rules that you could use as a starting point. https://github.com/chronicle/detection-rules/tree/main/community/threat_intel
I know we need to create some more examples so happy to help clarify things but some of the content I believe may also be dependent upon the offering level selected.
Hopefully this helps as a starting point and we can evolve this further.
+16I believe infostealer is the malware family name. Potentially a raw log search for infostealer or whatever their executable is may be appropriate here. Or you could search for the hash of any of infostealers known IOC's.
Our current capabilities do not support graph entity searches. This is an upcoming feature I believe.
+9So i'm thinking if you can ask support to grant you the Chronicle bigquery access, then you can select the data from the bigquery table for all the threat_feed_name & dump out from there.
+3- Bronze 1
So i'm thinking if you can ask support to grant you the Chronicle bigquery access, then you can select the data from the bigquery table for all the threat_feed_name & dump out from there.
Hi
Thanks
Ajay P
+22Because you can perform a search of global context data in search, I would suggest that if you are looking to explore the entity graph and the data sets you have access to, a good way to do that is performing a search like this.
graph.metadata.source_type = "GLOBAL_CONTEXT"
graph.metadata.entity_type = "FILE"
graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
graph.metadata.threat.associations.type = "MALWARE"
graph.metadata.threat.associations.role = "Credential Stealer"
select:
graph.metadata.vendor_name, graph.metadata.product_name, graph.metadata.feed, graph.metadata.threat.threat_feed_nameThe fields in the select section can also be useful for narrowing the data down but the one I included in the first half of the search is specific to Mandiant Fusion IOC feeds.
+3- Bronze 1
Hi
Thanks for your response. Am not getting any data with the provided query for GLOBAL_CONTEXT. Have executed with different values as well.
Regards
Ajay P
Detection Engineering
+22Give this a try:
graph.metadata.source_type = "GLOBAL_CONTEXT"
graph.metadata.entity_type = "FILE"
graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
select:
graph.metadata.vendor_name, graph.metadata.product_name, graph.metadata.feed, graph.metadata.threat.threat_feed_nameDepending on the entitlement of the tenant, the Mandiant Fusion feed may not be available. Below is a summary of some of the other feeds that you should have access to separate from the that Mandiant feed. If you aren’t seeing anything with this or are expecting to see the Fusion feed based on your entitlement, you may need to open a ticket to see if that can get resolved.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.