Threat Intelligence Feeds for Novel Corona virus (COVID-19)

3 Likes

April 23rd 2020

The content has been updated as mentioned below: 

Scan Titan Feeds as on 21st April 2020 has been updated.
Covid related MITRE Content has been updated to lookup in the Active lists.
Saved searches and Search Filters from SOC Prime has been added.
Active list has been changed from Event Based to Field Based.
Geo Communications Dashboard has been added.
Correlation rules has been tuned further.

2020-04-23 12_41_42-ArcSight Command Center.jpg

April 5th 2020

The content for ArcSight has been created by leveraging the Threat Feeds available from Scan Titan and Anomali.

These Threat Feeds consists of Host Names, IP Address, Domain Names, Email Address, URL’s, Subject Line, HASH, Encryption Types comprises of up to 15000 Indicators of compromise.

With ArcSight ESM this content can be leveraged or added to other existing COVID-19 ArcSight Contents.

2020-04-08 17_04_21-ArcSight Command Center.jpg

2020-04-08 17_04_07-Inbox - pavan.raja@microfocus.com - Outlook.jpg

2020-04-08 17_03_47-ArcSight Command Center.jpg

2020-04-08 17_03_36-ArcSight Command Center.jpg

2020-04-08 17_03_11-ArcSight Command Center.jpg

This content will be updated with more use cases in the coming days.

For feedback please reach out to me on my email PAVAN.RAJA@MICROFOCUS.COM

Labels:

Support Tip
User Group
Other
Comment List
Anonymous
  •   - These IOC's are focusing only on the COVID-19 and they are updated every 2 days, so in case you have been using old IOC's, you can chose to clear the entries and input new values from the feeds from SCAN TITAN.

    Also, all the rules are configured to trigger on the first match, so if you have observed false positives then please report back with details, I have have them updated so everyone can benefit from the same.

    Thanks

  • We had the feeds ingested before, and found that the ScanTitan indicators, mostly IP addresses, were causing a lot of false positives, as they also contained CDN IPs, not very high fidelity. The others will of course be better.

  •   - Yes, your correct.

    The content is to help those who dont have MISP setup yet. 

    Also, the content may be leveraged to verify both MISP lists and the lists within this package by few customization.

     

     

  • Nice,

     

    However I prefer if we can import these data into MISP Circl, thus we don't need to create or change anything on the ESM 

Related Discussions
Recommended