Add Threat Intelligence Section #7905
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Archer <[email protected]>
Signed-off-by: Archer <[email protected]>
Signed-off-by: Archer <[email protected]>
Signed-off-by: Archer <[email protected]>
Naarcha-AWS
added
2 - In progress
Naarcha-AWS
requested review from
hdhalter,
kolchfa-aws,
vagimeli,
AMoo-Miki,
natebower,
dlvenable and
epugh
as code owners
Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
commented
Aug 7, 2024
natebower
reviewed
Aug 7, 2024
There was a problem hiding this comment.
@Naarcha-AWS Please see my comments and changes and let me know if you have any questions. Thanks!
|
|
||
| # Alerts and Findings API | ||
|
|
||
| The threat intelligence Alerts and Findings API retrieves information about alerts and findings found in threat intelligence feeds. |
There was a problem hiding this comment.
Suggested change
| The threat intelligence Alerts and Findings API retrieves information about alerts and findings found in threat intelligence feeds. | |
| The threat intelligence Alerts and Findings API retrieves information about alerts and findings from threat intelligence feeds. |
| `sortString` | The string Security Analytics uses to sort the alerts. Optional. | ||
| `sortOrder` | The order used to sort the list of alerts. Possible values are `asc` or `desc`. Optional. | ||
| `missing` | A list of fields for which no alias mappings are found. Optional. | ||
| `size` | An optional limit for the maximum number of results returned in the response. Optional. |
There was a problem hiding this comment.
Suggested change
| `size` | An optional limit for the maximum number of results returned in the response. Optional. | |
| `size` | An optional maximum number of results to be returned in the response. Optional. |
|
|
||
| ### Response fields | ||
|
|
||
| Threat intelligence alerts can have one of the following states. |
There was a problem hiding this comment.
Suggested change
| Threat intelligence alerts can have one of the following states. | |
| A threat intelligence alert can have one of the following states. |
| | State | Description | | ||
| | :---- | :--- | | ||
| | `ACTIVE` | The alert is ongoing and unacknowledged. Alerts remain in this state until they are acknowledged, the trigger associated with the alert is deleted, or the threat intelligence monitor is deleted entirely. | | ||
| | `ACKNOWLEDGED` | The alert is acknowledged but the root cause of the alert has not been addressed. | |
There was a problem hiding this comment.
Suggested change
| | `ACKNOWLEDGED` | The alert is acknowledged but the root cause of the alert has not been addressed. | | |
| | `ACKNOWLEDGED` | The alert is acknowledged, but the root cause of the alert has not been addressed. | |
|
|
||
| ## Viewing alerts and findings | ||
|
|
||
| You can view the findings and alerts generated by threat intelligence monitors to analyze which malicious indicators have occurred in their security logs. To view alerts or findings, select **View findings** or **View alerts** from the threat intelligence view. |
There was a problem hiding this comment.
Suggested change
| You can view the findings and alerts generated by threat intelligence monitors to analyze which malicious indicators have occurred in their security logs. To view alerts or findings, select **View findings** or **View alerts** from the threat intelligence view. | |
| You can view the alerts and findings generated by threat intelligence monitors to analyze which malicious indicators have occurred in their security logs. To view alerts or findings, select **View findings** or **View alerts** from the threat intelligence view. |
|
|
||
| # Threat intelligence | ||
|
|
||
| Threat intelligence in Security Analytics offers the capability to integrate your threat intelligence feeds. Feeds are comprised Indicators of Compromise (IOCs), which search for malicious indicators within your data by setting up a threat intelligence monitor. These monitors generate findings and can send notifications when malicious IPs, domains, or hashes referenced from the threat intelligence feeds match your data. |
There was a problem hiding this comment.
Suggested change
| Threat intelligence in Security Analytics offers the capability to integrate your threat intelligence feeds. Feeds are comprised Indicators of Compromise (IOCs), which search for malicious indicators within your data by setting up a threat intelligence monitor. These monitors generate findings and can send notifications when malicious IPs, domains, or hashes referenced from the threat intelligence feeds match your data. | |
| Threat intelligence in Security Analytics offers the capability to integrate your threat intelligence feeds. Feeds comprise indicators of compromise (IOCs), which search for malicious indicators in your data by setting up threat intelligence monitors. These monitors generate findings and can send notifications when malicious IPs, domains, or hashes from the threat intelligence feeds match your data. |
|
|
||
| You can interact with threat intelligence in the following ways: | ||
|
|
||
| - Threat intelligence API: To configure threat intelligence using API operations, see [Threat Intelligence APIs]({{site.url}}{{site.baseurl}}/security-analytics/threat-intelligence/api/threat-intel-api/). |
There was a problem hiding this comment.
I believe the linked heading is in sentence case where it appears ("Threat intelligence APIs").
| You can interact with threat intelligence in the following ways: | ||
|
|
||
| - Threat intelligence API: To configure threat intelligence using API operations, see [Threat Intelligence APIs]({{site.url}}{{site.baseurl}}/security-analytics/threat-intelligence/api/threat-intel-api/). | ||
| - OpenSearch Dashboards: To configure and use threat intelligence through the OpenSearch Dashboards interface, see [Getting Started]({{site.url}}{{site.baseurl}}/security-analytics/threat-intelligence/getting-started/). |
There was a problem hiding this comment.
"Getting started" (sentence case)?
| @@ -37,7 +37,7 @@ After you select the **Alert triggers** tab, you also have the option to add add | |||
|
|
|||
| ### Threat intelligence feeds | |||
|
|
|||
| A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise* (IoC). These IoCs can be used by investigators to help isolate security incidents. | |||
| A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise* (IOC). These IOCs can be used by investigators to help isolate security incidents. | |||
There was a problem hiding this comment.
Suggested change
| A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise* (IOC). These IOCs can be used by investigators to help isolate security incidents. | |
| A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise (IOC)*. These IOCs can be used by investigators to help isolate security incidents. |
Naarcha-AWS
commented
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
commented
Aug 7, 2024
|
|
||
| Updates the status of the specified alerts to `ACKNOWLEDGED` or `COMPLETED`. Only alerts in the `ACTIVE` state can be updated. | ||
|
|
||
| ## Path and HTTP methods |
There was a problem hiding this comment.
Suggested change
| ## Path and HTTP methods | |
| ### Path and HTTP methods |
Naarcha-AWS
commented
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
|
|
||
| ### Example requests | ||
|
|
||
|
|
There was a problem hiding this comment.
Suggested change
| The following example requests show how to use the Source API. |
There was a problem hiding this comment.
@Naarcha-AWS "example requests show you how"
Naarcha-AWS
commented
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
|
|
||
| You can interact with threat intelligence in the following ways: | ||
|
|
||
| - Threat intelligence API: To configure threat intelligence using API operations, see [Threat Intelligence APIs]({{site.url}}{{site.baseurl}}/security-analytics/threat-intelligence/api/threat-intel-api/). |
There was a problem hiding this comment.
Suggested change
| - Threat intelligence API: To configure threat intelligence using API operations, see [Threat Intelligence APIs]({{site.url}}{{site.baseurl}}/security-analytics/threat-intelligence/api/threat-intel-api/). | |
| - Threat intelligence APIs: To configure threat intelligence using API operations, see [Threat Intelligence APIs]({{site.url}}{{site.baseurl}}/security-analytics/threat-intelligence/api/threat-intel-api/). |
Naarcha-AWS
commented
Aug 7, 2024
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
commented
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
natebower
reviewed
Aug 7, 2024
Naarcha-AWS
commented
Aug 7, 2024
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Archer <[email protected]>
hdhalter
added
3 - Done
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Modifies #7847.
Closes #7714.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.