Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
a.sanchezhinojo Absent Member.
Absent Member.
655 views

Creating a live threat map?

Jump to solution

Hi,

I'm just wondering if there is any way that we can feed our logs into a live threat map such as this Cybersecurity Threat Intelligence Map | Check Point Software. I have been looking around, but I haven't been able to find one. A  point in the right direction would be appreciated.

0 Likes
1 Solution

Accepted Solutions
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Creating a live threat map?

Jump to solution

Hi Alex,

The simplest place to start would be to create a live-updating geographical map to display external IPaddresses. To do this, you can use the 'Geographical Event Graph' Data Monitor like this:

geographic_data_monitor.png

geographic_dashboard.png

Where you'll have to put some thought in is in which of your alerts in your SIEM are to be best considered 'threats'. Above, the map will display any event matching my "External_Traffic" filter. You'll want to adjust that to something meaningful in your environment.

View solution in original post

0 Likes
8 Replies
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Creating a live threat map?

Jump to solution

To what end? I'm a definite proponent of visualisation to assist analysts in their task, but pretty visualisations like this have very little value beyond having something to put on an lcd display to impress non-technical types as they walk past. Surely you time would be better spent putting better tools in your analysts hands?

0 Likes
danje571
New Member.

Re: Creating a live threat map?

Jump to solution

Hi,

I've the same advice as Richard, however it's possible using ESM Dashboard.

Or a script provided in Protect here

https://protect724.hp.com/message/13369#13369

0 Likes
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Creating a live threat map?

Jump to solution

Hi Alex,

The simplest place to start would be to create a live-updating geographical map to display external IPaddresses. To do this, you can use the 'Geographical Event Graph' Data Monitor like this:

geographic_data_monitor.png

geographic_dashboard.png

Where you'll have to put some thought in is in which of your alerts in your SIEM are to be best considered 'threats'. Above, the map will display any event matching my "External_Traffic" filter. You'll want to adjust that to something meaningful in your environment.

View solution in original post

0 Likes
a.sanchezhinojo Absent Member.
Absent Member.

Re: Creating a live  threat map?

Jump to solution

This is a side project I am working on with my free time, I would like to create something that is visually appealing to the non-technical types.

0 Likes
a.sanchezhinojo Absent Member.
Absent Member.

Re: Creating a live threat map?

Jump to solution

Thank You!

0 Likes
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Creating a live threat map?

Jump to solution

Hi Alex,

Heads up. If your source is a private IP address. The Plotting will start from the center of the globe. This can be set to your country location as well.

0 Likes
a.sanchezhinojo Absent Member.
Absent Member.

Re: Creating a live threat map?

Jump to solution

Thanks Balahasan! I went into the zones and added a location which helped move some of them.

0 Likes
Answer Honored Contributor.
Honored Contributor.

Re: Creating a live threat map?

Jump to solution

We have made this! (Yes, not really helpful to analysts, but pretty nice for the non-technical types)

We are using a forwarding connector on the ESM to output selected "live attacks" in a CSV file, and this CSV file is then read by a python script which then outputs it on a big map on an LCD screen. Making it somewhat similar to the Norse Attack Map.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.