September 3, 2020
With ArcSight Recon you can threat hunt APTs and Threat Groups using Indicators of Compromise (IoCs) like IP Addresses, Domain Names, Email Addresses, and File Hashes. This is easily done with Searches and Lookup Lists in ArcSight Recon. Along with the indicator (IP/Domain/Email/Hash), Threat Intelligence feeds like MISP (Malware Information Sharing Platform) provide additional metadata about the indicator, such as the Actor or Threat Group associated with the indicator, the Indicator Type, and the Threat Level of the indicator. This metadata provides additional context to threat hunts and there are a wide number of use cases:
With ArcSight Recon you can use the metadata from Threat Intelligence feeds like MISP to perform targeted and focused threat hunts. Below you will find example searches and screenshots showing how ArcSight Recon addresses these use cases. While these examples are focused on MISP, this can be any Threat Intelligence feed that provides similar indicator metadata.