Threat intel feeds in Security Analytics

[eirsep]

Enrich Detectors With Feeds

Create/Update Detector flow

While creating Security Analytics detectors, customers will be able to choose threat feeds that they wish to enrich their detectors with.
Detector rules would be constructed from the latest version of the threat feeds to identify potential threats from the Indicators of Compromise(IoC’s) such as IP addresses, network hosts, domains, file hashes, email ids which apply to the chosen log types.

RFC: #671

[eirsep]

• Choose some publicly available threat feeds
• Create system indices for storing IoCs parsed from threat intel feeds
• Integrate Job scheduler to periodically update these feeds and on each update, update detectors with this data
• Build doc level queries from threat intel IOCs present in threat intel system indices.
• Handle create/update detector flows w.r.t. threat intel enabled/disabled
• add threat_intel_enabled flag in detector payload. defaults to false in api

[tallyoh]

@eirsep thank you very much for doing this work.

[engechas]

Closing as completed by #669