Reading Vital Signs
“Cure the symptoms, cure the disease.” – Michael Crichton
Security analysts today are beset with a singular focus on incidents, both in standard IR and threat hunting exercises. One less-discussed drawback of this focus is that common patterns and links between the underlying indicators that define incidents get ignored. A wide variety of attacks might be defined by the same set of malicious indicators, but a lack of indicator visibility results in repetitive response actions for each attack that could otherwise have been avoided.
Instead of scrambling to cure disease after disease, analysts need to take a deep breath, get out their cyber stethoscopes, and listen for vital signs that might help cure a host of diseases in one sweep.
Indicator Visibility and Flexibility
Demisto’s central indicator repository acts as this much-needed stethoscope for analysts. In addition to full incident management, Demisto also lets analysts pivot searches and run queries by specific indicators, add custom indicator fields, and create new indicator types. These features provide unprecedented visibility into how indicators link across incidents and act as useful tools during threat hunting exercises.
In this walkthrough, we shall explore the indicator dashboard, see how to write and save queries, and go through examples of indicator custom fields and new indicator types.
Let’s look at the indicator dashboard screen:
This dashboard provides a succinct one-screen view of important indicator metrics like reputation, common indicators, time period, the number of ‘bad hits’ (indicators with bad reputation), and the number of ‘new hits’ (indicators that have not been reviewed yet). All these fields are filterable, which allows you to conduct quick searches on your metrics of interest. The snapshot below illustrates this process:
The lower half of the dashboard has two views of indicators that you can switch between: a brief table view or a more detailed summary view.
There are multiple ways that Demisto ingests new indicators.
- You can manually create a new indicator by clicking the ‘New Indicator’ button.
- You can upload STIX files by clicking the upload button on the top right of the screen.
- You can set up integrations with mail clients to forward mails with STIX files or CSVs that have indicators.
Running and Saving Queries:
Let’s say you want to run a query to find the indicators with bad reputation over the last 30 days. This is accomplished with a few quick clicks:
- Click the time period drop-down on the top left of the screen and select 30 days.
- Click the ‘Bad’ option on the Reputation section in the center of the screen.
And that’s it! The query fills up in the search bar on top of the screen to highlight the journey your query took. You can add this to your saved queries by clicking the ‘Add’ button on the top right and giving the query a custom name.
This query will be available for quick retrieval in the future. Just click ‘Saved Queries’ on the top right to open up all the queries you have saved for future use.
The summary view of indicators lets you drill down to each indicator and study it in greater detail. You can check every indicator’s first occurrence and last occurrence time stamps, reputation, and a compendium of related incidents that the indicator was found in.
After studying an indicator, you can edit the indicator fields to add more data, create an incident based on the indicator if you think it is serious enough, or whitelist and delete the indicator if you think it is a false positive.
Custom Indicator Fields:
In addition to providing multiple angles of indicator visibility, Demisto also provides the flexibility to customize indicators to organizational requirements. For instance, you can edit and add your own custom fields to an indicator. The screenshot below shows the indicator fields repository.
You can view each filed name, type, and whether it is a mandatory field for indicators. You can edit these existing fields and add new fields by clicking the button on the top right. For example, if you want to create a new field called ‘campaign’, you have the flexibility to choose the field type, name, placeholder text, and the option to make it mandatory. The screenshot below illustrates this:
After you add this field, it will be present alongside other fields whenever a new indicator is created, as shown below.
New Indicator Types:
If you go to Settings, Advanced, and then Indicator Types, you can check all existing indicator types with their names, regex entries, enhancement scripts, and regex scripts. You can edit any of the existing entries and add a new indicator type by clicking the respective button at the top of the screen.
Indicator types can either be auto-discovered through their regular expression (or regex) entry, or by manually assigning the indicator type during creation or investigation.
We hope you found this feature walkthrough helpful. In the second part of our series on indicators, we will explore how indicators are used for both threat hunting and incident management.
If you’re interested to know more, we invite you to view the video walkthrough on our YouTube channel. If you are new to Demisto and interested in exploring the platform further, we invite you to sign-up for the Demisto Community Edition.