Threat Intel Optimization
The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your Threat Intel queries:
- Filter out unwanted logs before you use Threat Intel lookup operator
- Use keywords
- Use the
where
operator - Use general search optimization rules
For example:
_sourceCategory=cylance "IP Address" | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | where !isNull(ip_address) | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1" | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
Field Extraction Rule
Use Field Extraction Rules (FER) to parse fields from your log messages at the time the messages are ingested, which eliminates the need to parse fields at the query level. Use these parsed fields along with Threat Intel Lookup operator.
- Create the FER For example, for Cylance Security Events, create and use the following FER:
parse "Event Type: *, Event Name: *, Device Name: *, IP Address: (*, *), File Name: *, Path: *, Drive Type: *, SHA256: *, MD5: *, Status: *, Cylance Score: *, Found Date: *, File Type: *, Is Running: *, Auto Run: *, Detected By: *" as event_type,event_name,device_name,src_ip,dest_ip,file_name,path,drive_type,sha,md5,status,score,found,file_type,isRunning,autoRun,detected - Customize your query so you can use parsed fields from FER with the Threat Intel Lookup operator. For example:
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip | json field=raw "labels[*].name" as label_name | replace(label_name, "\\/","->") as label_name | replace(label_name, "\""," ") as label_name | where type="ip_address" and !isNull(malicious_confidence) | if (isEmpty(actor), "Unassigned", actor) as Actor | count as threat_count by src_ip, malicious_confidence, Actor, _source, label_name | sort by threat_count
Where src_ip is the parsed field from FER (see step # 1)
Scheduled View
Use scheduled views with the Threat Lookup operator to find threats. Scheduled View reduces aggregate data down to the bare minimum, so they contain only the raw results that you need to generate your data. Queries that run against Scheduled Views return search results much faster because the data is pre-aggregated before the query is run. And a Scheduled View query runs continuously, once per minute.
- Create a scheduled view. For example, for Cylance, create a scheduled view, cylance_threat:
Example:
_sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
| json field=raw "labels[*].name" as label_name
| replace(label_name, "\\/","->") as label_name
| replace(label_name, "\""," ") as label_name
| where type="ip_address" and !isNull(malicious_confidence)
| if (isEmpty(actor), "Unassigned", actor) as Actor
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
| count as threat_count by src_ip, malicious_confidence, Actor, _source, label_name, city, country_name, raw - Now, you can run your Threat Intel query on top of this view:
_view=cylance_threat
| count by src_ip