Hi All,
Struggling to find "graph.metadata.threat.threat_feed_name" for info stealers. Also , how to get those list of threat feeds , we can leverage. for both VT and Mandiant.
Thanks in advance
Page 1 / 1
Hi @Mufa_shah we´ve also been struggeling to find out what´s inside the global context graph. I had the privilege to attend a Google SecOps Bootcamp few months ago and I was asking the same question, but didn´t get an answer.
As of now, there´s no official documentation available. Personally I think there´s a lot happening right now as the Mandiant feeds and other open source feeds are integrated. Also Google Threat Intelligence is launching.
So I think this is a moving target.
When you say infostealer, I'm not sure what data feed that would be to point you in the right direction. Was this something someone characterized to you?
We have a few blogs on some of the threat intel sources listed below as well as some sample rules that you could use as a starting point. https://github.com/chronicle/detection-rules/tree/main/community/threat_intel
I know we need to create some more examples so happy to help clarify things but some of the content I believe may also be dependent upon the offering level selected.
Hopefully this helps as a starting point and we can evolve this further.
I believe infostealer is the malware family name. Potentially a raw log search for infostealer or whatever their executable is may be appropriate here. Or you could search for the hash of any of infostealers known IOC's.
Our current capabilities do not support graph entity searches. This is an upcoming feature I believe.
So i'm thinking if you can ask support to grant you the Chronicle bigquery access, then you can select the data from the bigquery table for all the threat_feed_name & dump out from there.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.