Skip to content

Commit

Permalink
Fix IOC acryonym to be in line with AWS
Browse files Browse the repository at this point in the history
Signed-off-by: Archer <[email protected]>
  • Loading branch information
Naarcha-AWS committed Aug 6, 2024
1 parent a9acd73 commit ea96af4
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 12 deletions.
2 changes: 1 addition & 1 deletion _security-analytics/threat-intelligence/api/source.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The threat intelligence Source API updates and returns information about tasks r

## Create or update threat intelligence source

Creates or updates a threat intelligence source and loads Indicators of Compromise (IoCs) from that source.
Creates or updates a threat intelligence source and loads Indicators of Compromise (IOCs) from that source.

### Path and HTTP methods

Expand Down
19 changes: 10 additions & 9 deletions _security-analytics/threat-intelligence/getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ On the threat intelligence source page, add the following information:
- **Name**: A name for the source.
- **Description**: An optional description for the source.
- **Threat intel source type**: The source type determines where the `STIX2` file is stored. You can choose one of the following options:

Check failure on line 30 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/threat-intelligence/getting-started.md#L30

[OpenSearch.Spelling] Error: intel. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.
Raw output
{"message": "[OpenSearch.Spelling] Error: intel. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 30, "column": 12}}}, "severity": "ERROR"}
- **Remote data store location**: Connects to a custom data store. As of OpenSearch 2.16, only the `S3_SOURCE` type is supported. This setting also gives you the ability to set a download schedule, where OpenSearch downloads the newest STIX2 file from the data store. For more information, see [S3_SOURCE connection details](#s3_source-connection-details).
- **Local file upload**: Uploads a custom threat intelligence IoC file. Custom files cannot be set to download schedule and must be uploaded manually in order to update the IoCs. For more information, see [Local file upload](#local-file-upload).
- **Types of malicious indicators**: Determines the malicious IoCs to pull from the STIX2 file. The following IoCs are supported:
- IPv4-Address
- IPv6-Address
- **Remote data store location**: Connects to a custom data store. As of OpenSearch 2.16, only the `S3_SOURCE` type is supported. This setting also gives you the ability to set a download schedule, where OpenSearch downloads the newest STIX2 file from the data store. For more information, see [S3_SOURCE connection details](#s3_source-connection-details)
- **Local file upload**: Uploads a custom threat intelligence IOC file. Custom files cannot be set to download schedule and must be uploaded manually in order to update the IOCs. For more information, see [Local file upload](#local-file-upload).
- **Types of malicious indicators**: Determines the malicious IOCs to pull from the STIX2 file. The following IOCs are supported:
- IPV4-Address

Check failure on line 34 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/threat-intelligence/getting-started.md#L34

[Vale.Terms] Use 'IPv4' instead of 'IPV4'.
Raw output
{"message": "[Vale.Terms] Use 'IPv4' instead of 'IPV4'.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 34, "column": 5}}}, "severity": "ERROR"}
- IPV6-Address

Check failure on line 35 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/threat-intelligence/getting-started.md#L35

[Vale.Terms] Use 'IPv6' instead of 'IPV6'.
Raw output
{"message": "[Vale.Terms] Use 'IPv6' instead of 'IPV6'.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 35, "column": 5}}}, "severity": "ERROR"}
- Domains
- File hash

Expand All @@ -42,7 +42,7 @@ After all the relevant information has been entered, select **Add threat intel s

Local files uploaded as the threat intelligence source must use the following specifications:

- Upload as a JSON file in the STIX2 format. For an example STIX2 file, [download the following example file]({{site.url}}{{site.baseurl}}/assets/examples/all-ioc-type-examples.json), which contains example formatting for all IoC types.
- Upload as a JSON file in the STIX2 format. For an example STIX2 file, [download the following example file]({{site.url}}{{site.baseurl}}/assets/examples/all-IOC-type-examples.json), which contains example formatting for all IOC types.

Check warning on line 45 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/threat-intelligence/getting-started.md#L45

[OpenSearch.AcronymParentheses] 'IOC': Spell out acronyms the first time that you use them on a page and follow them with the acronym in parentheses. Subsequently, use the acronym alone.
Raw output
{"message": "[OpenSearch.AcronymParentheses] 'IOC': Spell out acronyms the first time that you use them on a page and follow them with the acronym in parentheses. Subsequently, use the acronym alone.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 45, "column": 160}}}, "severity": "WARNING"}
- Be less than 500 kB.


Expand All @@ -68,17 +68,18 @@ To add or a scan configuration:

1. From the threat intelligence view, select **Add scan configuration** or **Edit scan configuration**.
2. Select the indexes or alias to scan.
3. Select the **fields** from your indexes and alias to scan based on their IoC type. For example, if an alias has two fields called `src_ip` and `dst_ip` which contain `ipv4` addresses, those fields must be entered into the `ipv4-addr` section of the monitor request.
4. Determine a **Scan schedule**, which decides the frequency of the scan against the indicated indexes and aliases. By default, OpenSearch scans for IoCs every minute.
3. Select the **fields** from your indexes and alias to scan based on their IOC type. For example, if an alias has two fields called `src_ip` and `dst_ip` which contain `ipv4` addresses, those fields must be entered into the `ipv4-addr` section of the monitor request.
4. Determine a **Scan schedule**, which decides the frequency of the scan against the indicated indexes and aliases. By default, OpenSearch scans for IOCs every minute.
5. Set up any alert triggers and trigger conditions. You can add multiple triggers.
1. Add a name for the trigger.
2. Pick an indicator type. The indicator type matches the IoC types.
2. Pick an indicator type. The indicator type matches the IOC types.
3. Select a severity for the alert.
4. Select whether to send a notification when the alert triggers. When enabled, you can customize which channels the notification is sent to, and the notification message. Notification message can be customized using a [mustache template](https://mustache.github.io/mustache.5.html).
6. With your settings complete, select **Save and start monitoring**.

When malicious IOC's are found, OpenSearch creates **findings**, which gives information about the threat. You can also configure triggers with the monitors to create alerts, which sends notifications to configured webhooks or endpoints.

Check failure on line 80 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/threat-intelligence/getting-started.md#L80

[OpenSearch.Spelling] Error: IOC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.
Raw output
{"message": "[OpenSearch.Spelling] Error: IOC's. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 80, "column": 16}}}, "severity": "ERROR"}


## Viewing alerts and findings

You can view the findings and alerts generated by threat intelligence monitors to analyze which malicious indicators have occurred in their security logs. To view alerts or findings, select **View findings** or **View alerts** from the threat intelligence view.
2 changes: 1 addition & 1 deletion _security-analytics/threat-intelligence/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ has_children: true

# Threat intelligence

You can use the threat intelligence feature in OpenSearch to integrate your threat intelligence feeds. Feeds are comprised of Indicators of Compromise (IOCs), which search for malicious indicators in your data. Through monitors, findings are generated, and notifications are sent when malicious IPs, domains, or hashes referenced from the threat intelligence feeds match your data.
Threat intelligence in Security Analytics offers the capability to integrate your threat intelligence feeds. Feeds are comprised Indicators of Compromise (IOCs), which search for malicious indicators within your data by setting up a threat intelligence monitor. These monitors generate findings and can send notifications when malicious IPs, domains, or hashes referenced from the threat intelligence feeds match your data.

To access threat intelligence, log into OpenSearch Dashboards, and select **Security Analytics** > **Threat Intelligence**.

Expand Down
2 changes: 1 addition & 1 deletion _security-analytics/usage/detectors.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ After you select the **Alert triggers** tab, you also have the option to add add

### Threat intelligence feeds

A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise* (IoC). These IoCs can be used by investigators to help isolate security incidents.
A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise* (IOC). These IOCs can be used by investigators to help isolate security incidents.

As of OpenSearch 2.12, you can enable threat intelligence for Sigma rules related to malicious IP addresses.

Expand Down

0 comments on commit ea96af4

Please sign in to comment.