Skip to main content
Sumo Logic

Threat Intel FAQ

Frequently Asked Questions (FAQ) around the Sumo Logic CrowdStrike database for threat intelligence.
What is the CrowdStrike Integration for Sumo Logic?

Sumo Logic has expanded its security offerings by allowing customers to perform analysis over their logs for potential threats and indicators of compromise. In partnership with CrowdStrike, Sumo Logic maintains an updated Threat Intelligence database that can be correlated with log data through queries.

The Sumo Logic / CrowdStrike integration has two parts:

  • Sumo Logic maintains an up-to-date copy of CrowdStrike’s threat database
  • Sumo customers can now use the CrowdStrike database in threat analysis queries over their logs (via a new lookup operator)
How often do you refresh the threat feed from CrowdStrike?

The database is updated once per day. We have implemented a multi-layer cache for performance enhancements rather than returning to the master database on each query.

Can I export all of the threats from Sumo Logic?

No, we do not allow an export of the threat Intel feeds as that is confidential to CrowdStrike. However, we will match lookups from your logs against the entire threat database. You will ONLY see data returned when you have a match against the database to a specific threat from your log data (e.g IP, domain, email, etc.) via the threat lookup operator. 

When is threat lookup going to be real-time using Continuous Queries (CQs)?

We are currently evaluating as part of the CY17 product roadmap. Live mode for dashboards and real-time queries are not supported at this time.

Can I historically search my logs for threats?

Yes, you can search any log data that is still retained and searchable using the Sumo Logic Platform. However, we suggest customers break up historical searches into smaller and more manageable chunks based on time range and/or source category for performance reasons.

If I don't see any results in any Dashboard, is that a bad thing?

 No. No results in your Dashboards can mean that nothing has been identified by CrowdStrike as a threat, verified or unverified.

What are different Indicators of Compromise (IOC) types available?

The following IOC types are available from CrowdStrike:

  • ip_address
  • domain
  • url
  • email_address
  • event_name
  • x509_subject
  • ip_address_block
  • x509_serial
  • binary_string
  • service_name
  • user_agent
  • bitcoin_address
  • file_path
  • registry
  • username
  • file_name
  • password
  • campaign_id
  • mutex_name
  • hash_md5
  • hash_sha1
  • hash_sha256
Can you provide samples for the different IOC types?

IOC Type

IOC

SHA256

6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536

SHA256

b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae

IP Address

84.112.91.96

IP Address

158.69.196.112

File

updater.exe

File

0.exe

URL

http://tycahatit.ru/zapoy/gate.php

URL

http://ningwitjohnno.ru/zapoy/gate.php

Domain

9jdco01e.ru

Domain

ningwitjohnno.ru

Email

sherigerber@mail.ru

Email

nosiwdcd5@outlook.com

Hash MD5

9da2a54e98ddb9a0adb4ace3dda4d8e0

Hash MD5

832efb3fce4b1e16d610d5856f1401bb

Do IOCs and Threats expire?

IOCs and Threats will often remain in the system because an IOC, such as an IP address, could go dormant and they reappear as part of another threat The last valid on can be found under labels > Last_valid_on. Be aware that over the period, their Malicious Confidence can be downgraded or upgraded depending upon recent activity.

I found an IOC in VirusTotal (or any other third-party threat feed) but I can’t find that IOC in CrowdStrike using the Sumo Logic Lookup?

CrowdStrike focuses on quality versus quantity when it comes threat assessment. They have a dedicated Intel Team which does that work. A threat from a third-party feed may not be present in CrowdStrike threats because it has been rejected by the CrowdStrike Intel assessment Team.

I found threats in my network, now what do I do (how do I get more context about threat)?

The next step would be to look at the raw json field from the query. Fields such as ip_address_types, labels, relations, and malware_families in the json object provide more contextual information about threat.

{

 "indicator": "104.198.196.36",

 "type": "ip_address",

 "last_updated": 1476946769,

 "published_date": 1476946767,

 malicious_confidence": "unverified",

 "reports": [],

 "actors": [],

 "malware_families": [ ],

 "kill_chains": [],

 "domain_types": [],

 "ip_address_types": [

   "SSHScanner"

 ],

 "relations": [],

 "labels": [

   {

     "name": "ThreatType/Suspicious",

     "created_on": 1476946768,

     "last_valid_on": 1476946768

   },

   {

     "name": "IPAddressType/SSHScanner",

     "created_on": 1476946768,

     "last_valid_on": 1476946768

   }

 ]

}

With the malware family and other information, the user can search the internet for more as there is often data readily available on known threats.In addition, if the users would like more robust information, they can contact CrowdStrike directly and purchase individual reports or discuss upgrading to CrowdStrike Premium which includes more detailed reports.

What are Actors?

Threats are grouped by actors, which are based on location. Some threats are tied to nation-state actors. For instance, “Panda” is the umbrella term for all nation-state activity tied to the People’s Republic of China. Non-nation-state based threats are categorized by intention, not location; for instance, activist groups like the Syrian Electronic Army are categorized as “Jackal,” which expresses both intent and motivation. The following is the cryptonym system that Crowdstrike uses for threats categorization:

  • Nation-State-Based threats
    • Panda = China
    • Bear = Russia
    • Kitten = Iran
    • Tiger = India
    • Chollima (a mythical winged horse) = North Korea
  • Non-Nation-State threats
    • Jackal = Activist groups
    • Spider = Criminal groups

https://www.crowdstrike.com/blog/meet-the-adversaries/

What is Unverified Malicious Confidence?

About 20% of the indicators are unverified. These unverified threats may be real threats, but the CrowdStrike team has not been able to assign a confidence level to them, so they remain in the unverified state.

Unverified is usually an IP address related to a known bad adversary (like Deep Panda) and it’s an IP that was used at some point in that campaign. As we all know - IP’s are dynamic. While Deep Panda utilized IP 201.22.52.32 at some point, it doesn’t mean that IP should be marked as bad or a threat, so we label it unverified. It’s more informational than actionable. CrowdStrike is looking at better ways to vet those IPs, for now it’s unverified. CrowdStrike advises customers not do anything with those IPs unless they’re seeing malicious activity from one of them. If the state is ever updated, CrowdStrike will change the “last updated” timestamp and the new state will appear. In the meantime, users should treat them as a possible candidate for analysis.

CrowdStrike recommends that you start with the highest priority and work down the chain.

What does the new Threat Intel Quick Analysis App do?

This App scans all Sumo logs and parses (using regex) IP/Email/URL/Domain/File Name fields for comparison against the threat feed from CrowdStrike. Think of it as a Inner Join between parsed fields and the threat table.

I already have parsed fields such as IPs, domain, URL, Email or File Name. Can I use them with this App, instead of parsing each log line again?

Yes, you can customize the query with in the App

Example:

_sourceCategory= */*/FIREWALL or _sourceCategory=*/*/LB or _sourceCategory=*/*/ROUTER or _sourceCategory=*/*/WINDOWS or _sourceCategory=*/*/SERVER

| where Your_IP != "0.0.0.0" and Your_IP != "127.0.0.1"
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=Your_IP
| where  type="ip_address" and !isNull(malicious_confidence)| if (isEmpty(actor), "Unassigned", actor) as Actor
 

| count by  Actor

Should I use all logs (*) with this App or subset of logs, what's the recommendation?

You can use (*) to scan all of your ingested logs for threat, but depending on volume of logs it can impact performance of search query and the App.

For optimal performance, use a subset of the logs. For example:

_sourceCategory= */*/FIREWALL or _sourceCategory=*/*/LB or _sourceCategory=*/*/ROUTER or _sourceCategory=*/*/WINDOWS or _sourceCategory=*/*/SERVER

I am seeing noisy results in the lookup service, what do I do?
  • Use filters to remove as much of the noise as possible (eg use the NOT clause before passing tuples to the lookup operator)
  • Use the "labels" section of the raw field to retain results of interest, or throw away results that are not useful. For example : IPs related labels ‘TorProxy’ or ‘njRAT’ can be noisy and filtered out by customizing queries like:

| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"

| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address

| json field=raw "labels[*].name" as label_name

| replace(label_name, "\\/","->") as label_name

| replace(label_name, "\""," ") as label_name

| where type="ip_address" and !isNull(malicious_confidence)

| where !(label_name matches "*TorProxy*")

| if (isEmpty(actor), "Unassigned", actor) as Actor

| count by ip_address, malicious_confidence, Actor,  _source, label_name

| sort by _count
 

Threat Intel App is a good starting point, but every customer will have to customize the queries powering the app for their own particular use.

Can I use scheduled Search with Threat Lookup service. If yes, what is the Run Frequency (time) I can use?

Yes, however it’s not real-time enabled for phase 1. Right now, scheduled searches can be set up with run frequency (polling period) of 15 minutes or more.

Can I bring my own threat feed into Sumo Logic?

This isn't currently available as an App. ​You could create your own lookup using a shared file.

Can you explain different fields in the Raw JSON object?

Name

 

Type

Description

 

indicator

 

 

string

 

 

The indicator that was queried.

 

type

 

string

Possible indicator types include:

·    binary_string

·    compile_time

·    device_name

·    domain

·    email_address

·    email_subject

·    event_name

·    file_mapping

·    file_name

·    file_path

·    hash_ion

·    hash_md5

·    hash_sha1

·    hash_sha256

·    ip_address

·    ip_address_block mutex_name

·    password

·    persona_name phone_number

·    port

·    registry

·    semaphore_name service_name

·    url

·    user_agent

·    username

·    x509_serial

·    x509_subject

 

report

 

string

The report ID that the indicator is associated with (e.g. CSIT-XXXX , CSIR-XXXX , etc). The report list is also represented under the labels list in the JSON data structure.

 

actor

 

string

The named Actor that the indicator is associated with (e.g. panda, bear , spider , etc). The actor list is also represented under the labels list in the JSON data structure.

malicious_confidence

 

string

Indicates a confidence level by which an indicator is considered to be malicious. For example, a malicious file hash may always have a value of high while domains and IP addresses will very likely change over time. The malicious confidence level is also represented under the labels list in the JSON data structure.

high : If indicator is an IP or domain, it has been associated with malicious activity within the last 60 days.

medium : If indicator is an IP or domain, it has been associated with malicious activity within the last 60-120 days.

low : If indicator is an IP or domain, it has been associated with malicious activity exceeding 120 days.

unverified : This indicator has not been verified by a Crowdstrike Intelligence analyst or an automated system.

published_date

 

Timestamp in standard Unix time, UTC.

This is the date the indicator was first published.

 

last_updated

 

Timestamp in standard Unix time, UTC.

This is the date the indicator was last updated in CrowdStrike internal database.

 

 

malware_family

 

string

Indicates the malware family an indicator has been associated with. An indicator may be associated with more than one malware family. The malware family list is also represented under the labels list in the JSON data structure.

 

 kill_chain

 

string

The point in the kill chain at which an indicator is associated. The kill chain list is also represented under the labels list in the JSON data structure.

reconnaissance : This indicator is associated with the research, identification, and selection of targets by a malicious actor.

weaponization : This indicator is associated with assisting a malicious actor create malicious content.

delivery : This indicator is associated with the delivery of an exploit or malicious payload.

exploitation : This indicator is associated with the exploitation of a target system or environment.

installation : This indicator is associated with the installation or infection of a target system with a remote access tool or other tool allowing for persistence in the target environment.

c2 (Command and Control): This indicator is associated with malicious actor command and control.

actionOnObjectives : This indicator is associated with a malicious actor's desired effects and goals.

 

Labels

 

string

The Intel Indicators API provides additional context around an indicator via the labels list. Some of these labels, such as 'malicious_confidence' are accessible via the top level data structure. All labels, including their associated timestamps, will be accessible via the labels list. The url string will look like

https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=DomainType/DynamicDNS

 

DomainType

·    DomainType/ActorControlled : It is believed the malicious actor is still in control of this

domain.

·    DomainType/DGA : This domain is the result of malware utilizing a domain generation

algorithm.

·    DomainType/DynamicDNS : This domain is owned or used by a dynamic DNS service.

·    DomainType/DynamicDNS/Afraid : This domain is owned or used by the Afraid.org

dynamic DNS service.

·    DomainType/DynamicDNS/DYN : This domain is owned or used by the DYN dynamic DNS

service.

·    DomainType/DynamicDNS/Hostinger : This domain is owned or used by the Hostinger

dynamic DNS service.

·    DomainType/DynamicDNS/noIP : This domain is owned or used by the NoIP dynamic DNS

service.

·    DomainType/DynamicDNS/Oray : This domain is owned or used by the Oray dynamic DNS

service.

·    DomainType/KnownGood : The domain itself (or the domain portion of a URL) is known to be legitimate, despite having been associated with malware or malicious activity.

·    DomainType/LegitimateCompromised : This domain does not typically pose a threat but has been compromised by a malicious actor and may be serving malicious content.

·    DomainType/PhishingDomain : This domain has been observed to be part of a phishing campaign.

·    DomainType/Sinkholed : The domain is being sinkholed, likely by a security research team. This indicates that, while traffic to the domain likely has a malicious source, the IP address to which it is resolving is controlled by a legitimate 3rd party. It is no longer believed to be under the control of the actor.

·    DomainType/StrategicWebCompromise : While similar to the DomainType/LegitimateCompromised label, this label indicates that the activity is of a more targeted nature. Oftentimes, targeted attackers will compromise a legitimate domain that they know to be a watering hole frequently visited by the users at the organizations they are looking to attack.

·    DomainType/Unregistered : The domain is not currently registered with any registrars.

EmailAddressType

·    EmailAddressType/DomainRegistrant : This email address has been supplied in the registration information for known malicious domains.

·    EmailAddressType/SpearphishSender : This email address has been used to send spearphishing emails.

IntelNews: The Intel Flash Report ID an indicator is associated with (e.g. IntelNews/NEWS-060520151900 ).

IPAddressType

·    IPAddressType/HtranDestinationNode : An IP address with this label is being used as a destination address with the HTran Proxy Tool.

·    IPAddressType/HtranProxy : An IP address with this label is being used as a relay or proxy node with the HTran Proxy Tool.

·    IPAddressType/LegitimateCompromised : It is suspected an IP address with this label is compromised by malicious actors.

·    IPAddressType/Parking : This IP address is likely being used as parking IP address.

·    IPAddressType/PopularSite : This IP address could be utilized for a variety of purposes and may appear more frequently than other IPs.

·    IPAddressType/SharedWebHost : This IP address may be hosting more than one website.

·    IPAddressType/Sinkhole : This IP address is likely a sinkhole being operated by a security researcher or vendor.

·    IPAddressType/TorProxy : This IP address is acting as a TOR (The Onion Router) Proxy Malware/PoisonIvy Malware/Zeus Malware/DarkComet

Status

·    Status/ConfirmedActive : This indicator is likely to be currently supporting malicious activity

·    Status/ConfirmedInactive : This indicator is no longer used for malicious purposes.

Target: The activity associated with this indicator is known to target the indicated vertical sector, which could be any of the following:

·    Target/Aerospace Target/Agricultural Target/Chemical

·    Target/Defense

·    Target/Dissident

·    Target/Energy

·    Target/Extractive

·    Target/Financial

·    Target/Government

·    Target/Healthcare

·    Target/Insurance

·    Target/InternationalOrganizations

·    Target/Legal

·    Target/Manufacturing

·    Target/Media

·    Target/NGO

·    Target/Pharmaceutical

·    Target/Research

·    Target/Retail

·    Target/Shipping

·    Target/Technology

·    Target/Telecom

·    Target/Transportation

·    Target/Universities

ThreatType

·    ThreatType/ClickFraud : This indicator is used by actors engaging in click or ad fraud

·    ThreatType/Commodity : This indicator is used with commodity type malware such as Zeus or Pony Downloader.

·    ThreatType/PointOfSale : This indicator is associated with activity known to target point-of-sale machines such as AlinaPoS or BlackPoS.

·    ThreatType/Ransomware : This indicator is associated with ransomware malware such as Crytolocker or Cryptowall.

·    ThreatType/Suspicious : This indicator is not currently associated with a known threat type but should be considered suspicious.

·    ThreatType/Targeted : This indicator is associated with a known actor suspected to associated with a nation-state such as DEEP PANDA or ENERGETIC BEAR.

·    ThreatType/TargetedCrimeware : This indicator is associated with a known actor suspected to be engaging in criminal activity such as WICKED SPIDER.

Vulnerability: The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g. https://intelapi.crowdstrike.com/ind.../CVE-2012-0158 ).