28. 10. 2021 Simone Cagol Blue Team, Exposure Assessment, SEC4U

Cyber Threat Intelligence: Enrichment with SATAYO IoC

One of the important elements of Cyber Threat Intelligence activity is the verification of IoCs (Indicators of Compromise) that can identify threats that can create an impact on your organization.

In parallel to our OSINT and Cyber Threat Intelligence SATAYO platform we have implemented the SATAYO IoC database which currently has about 900,000 elements.

Among these are:

  • IP addresses
  • Domains
  • URLs

Using keywords connected to the organizations whose exposure we monitor and which we periodically update, we are therefore able to find any evidence, as in the case highlighted below, relating to 2 phishing domains:

However, one of the unequivocal advantages of having IoCs constantly updated is that of being able to use them with the aim of enriching events collected within a SIEM.

In recent weeks we have worked a lot on the possibilities of integrating SATAYO IoC within NetEye SIEM and we are very proud to be able to show the results we’ve achieved.

First of all, a phase of daily reconstruction of the IoCs was implemented within SATAYO, which retrieves the various sources and creates a JSON file containing them.

An “Indicator Match” type detection rule was then created in NetEye SIEM, in which the source.ip and destination.ip fields were mapped.

Then there is a phase of ingestion of the records within an index.

Finally, the various characteristics of the detection rule have been defined and a schedule (every 10 minutes) configured for the execution of the detection rule itself.

The execution of the detection rule therefore allows us to quickly identify the presence of connections with IP addresses present in the SATAYO IoC database.

The Indicators of Compromise is just one of the integrations between SATAYO and NetEye that we have achieved to date. The implementation of the API (Application Programming Interface) within SATAYO has made it possible to also provide within NetEye SIEM all the different pieces of evidence collected by our OSINT and Cyber Threat Intelligence platform.
In our next posts we’ll show you these integrations, which allow the Cyber Security Analysts of the SOC (Security Operation Center) to obtain unprecedented visibility.

Simone Cagol

Simone Cagol

Author

Simone Cagol

Latest posts by Simone Cagol

13. 01. 2022 Blue Team
Sigma Rule Crawler Project
See All

Related Content

Tags: , , , , , ,

29. 12. 2024 Log-SIEM, NetEye

How to Configure Kibana to Use a Proxy Server with a Certificate via the NODE_EXTRA_CA_CERTS Variable

When using Kibana in environments that require a proxy to reach external services, you might encounter issues with unrecognized SSL certificates. Specifically, if the proxy is exposed with its own certificate and acts as an SSL terminator, requests made by Read More
12. 12. 2024 Log Management, Log-SIEM

Sample osquery Investigations for a Security Incident

Note: This description of a security analyst's daily routine is fictitious. However, the osquery examples have been tested and can therefore be used as a template for your own research. 1. Alarm Detection Today started with a high-severity alarm from our Read More
18. 11. 2024 Development, Threat Intelligence

Scaling SATAYO: OSINT Research with Apache Airflow

Originally developed as a proof of concept, SATAYO was designed to gather and analyze OSINT (Open Source Intelligence) data on a single machine. Initially, the platform functioned as a single-threaded script, and scaling was only considered later. As SATAYO’s capabilities Read More
08. 11. 2024 Blue Team, SEC4U, Threat Intelligence

SATAYO And SOC: Exchanging Data For Better Insight

In this post, we'll explore the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete example Read More
30. 04. 2024 SOCnews

SOC News | Apr 30 – New Cyber Attacker Groups Detected

During the last week of April, our Attacker Centric SOC detected multiple new cyber attacker group websites in the Dark Web. Called Dedicated Leak Sites (DLS), they are widely used by ransomware gangs to publish stolen confidential data when the victim Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive