September 3, 2020

With ArcSight Recon you can threat hunt APTs and Threat Groups using Indicators of Compromise (IoCs) like IP Addresses, Domain Names, Email Addresses, and File Hashes. This is easily done with Searches and Lookup Lists in ArcSight Recon. Along with the indicator (IP/Domain/Email/Hash), Threat Intelligence feeds like MISP (Malware Information Sharing Platform) provide additional metadata about the indicator, such as the Actor or Threat Group associated with the indicator, the Indicator Type, and the Threat Level of the indicator. This metadata provides additional context to threat hunts and there are a wide number of use cases:

• Show me all APT activity from FIN7 or Lazarus Group.
• Show me all APT phishing activity.
• Show me all APT activity with a threat level greater than 2.

With ArcSight Recon you can use the metadata from Threat Intelligence feeds like MISP to perform targeted and focused threat hunts. Below you will find example searches and screenshots showing how ArcSight Recon addresses these use cases. While these examples are focused on MISP, this can be any Threat Intelligence feed that provides similar indicator metadata.

• Show me all APT activity from  FIN7 or Lazarus Group.
  • Request URL in list Suspicious_URLs_url and Suspicious_URLs_actors contains "FIN7" or Suspicious_URLs_actors contains "Lazarus"
• Show me all APT phishing activity.
  • Request URL in list Suspicious_URLs_url and Suspicious_URLs_indicatorType contains "phish"
• Show me all APT activity with a threat level greater than 2.
  • Request URL in list Suspicious_URLs_url and Suspicious_URLs_threatLevel greater than 2