0% found this document useful (0 votes)

206 views

Automation User Guide

Uploaded by

Matias Giammarini

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

206 views

Automation User Guide

Uploaded by

Matias Giammarini

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 95

Content

Installation and Initial Set-Up

Initial settings configuration

First login to the user interface

Upgrade

Integration with devices

Step 1 - Add device to the appliance

Step 2 - Creating automation rules policy

How to create tailored intelligence automation rules

How to create IOC management automation rules

Integration with MS Active Directory

Device configuration

Palo Alto Networks Panorama or Firewall

Check Point Firewall

BlueCoat Proxy

Splunk Enterprise Security

Splunk Standalone (Without ES)

IBM Qradar

Forcepoint Triton (Websense)

Prerequisites

How to

Carbon Black

Fortinet FortiSIEM

Configure the FortiSIEM

Configuration for IOC of type Domain

Fortinet FortiManager

Fortimanager side configuration

Micro Focus ArcSight ESM

McAfee ESM

LogRhythm SIEM

Zscaler Web protection

Microsoft Office 365 – Exchange Online

Appendix

How to install a new certificate

Preface
IntSights delivers early warnings of hacking efforts and fraudulent attacks targeting a
specific user or individual company, via a sophisticated cyber intelligence platform.
IntSights delivers tailored intelligence by scanning a wide range of sources (e.g., the
Clear Web, Dark Web, Cyber-Crime Forums, IRC Channels, Social Media, App stores,
Paste Sites) and provides near-real-time alerts regarding cyber-threats.

IntSights’ virtual appliance connects the IOCs Management module running in the cloud
to your security/monitoring devices protecting your organizational network. The IOCs
Management module in the cloud aggregates numerous IOCs every day, acquired from
IntSights alerts, Intsights analysts research, 3rd party intelligence feeds, customer's own
documents and emails, and more. Every indicator is examined in order to validate its
severity and context, so the outcome is a tailor-made list of indicators to share with
security devices.

How it works
1. The IOCs Management in the cloud first collects cyber threat intelligence such
as malicious IPs, domains, file hashes, and URLs. It then validates if the
indicators are indeed a threat and that no legitimate assets are included (e.g.,
Google, home page for your organization, mail service, etc.)

2. The virtual appliance then pulls aggregated, enriched indicators from the
IOCs Management module in the cloud.

3. The virtual appliance shares the indicators with the security devices based on
the policy.
Attacks are stopped by security devices that are now updated with the latest
IOCs information.

IntSights virtual appliance

The IntSights virtual appliance is a ‘closed’ appliance maintained by IntSights. this means
that both the OS (Ubuntu) and the application is maintained by IntSights.

Unlike using an Ubuntu ‘open server’, in this case IntSights is responsible for the server
hardening, since its needs to meet the application requirements.

Guidelines
● General structure of the appliance is container based, which means that
each execution unit resides within its own siloed environment, which
reduced the attack & exploitation surface significantly.

● Ubuntu Hardening:

○ Standard shell is disabled for all users, and the only available shell
is the intsights appliance custom CLI, which has an expert mode
shell that can be removed if required.

○ The only services that are open and available are services that are
required for the platform’s operation. No other services are
installed that are not required.

● Monitoring - the appliance is being closely monitored by our engineers to

track any synchronization and connectivity issues.

● Periodic Penetration Testing - the appliance is tested for security

vulnerabilities in a periodic manner and each finding is repaired
immediately.

High level connectivity diagram

High level Device connectivity

Installation and Initial Set-Up

Prerequisites
● Virtual infrastructure (e.g. VMware vSphere)

● Virtual appliance active subscription

Contact IntSights sales for further information if you don't have such a
subscription.

● Network connectivity from the virtual appliance to the IntSights cloud

(External)
Note: There is no connectivity initiated from the cloud (External) to the
internal network.

● Connectivity includes unrestricted access to the following sites:

.intsights.com, .gcr.io, .googleapis.com, .docker.io, *.cloudfront.net

● Network connectivity between the appliance to / from the security devices for
IOC
sharing (Ref table below)

The Virtual appliance requires access to all subdomains of every URL under these domains.

Network connectivity

Port Direction Purpose

HTTPS (443) Incoming (to the From the internal network to the virtual appliance
appliance) “Management” interface. For administration

SSH Incoming (to the From the internal network to the virtual appliance for
appliance) administration

8080 + 9090 Incoming (to the From the various security devices to the virtual appliance for
appliance) pulling IOCs

443 Outgoing (from the From the virtual appliance to IntSights Cloud (Internet).
appliance) During first initial installation and upgrade access is required
to:
*.intsights.com, *.gcr.io, *.googleapis.com, *.docker.io,
*.cloudfront.net

Per device connectivity Outgoing or Incoming From the virtual appliance to the various security devices, for
(Ref: “Integration” section) pushing IOCs

Virtual infrastructure (HyperVisor)

● You will need a HyperVisor to host the virtual appliance.
Supported hypervisors include:

o VMware vSphere 5.5 and higher

o Microsoft Azure Cloud Infrastructure

o Amazon AWS cloud infrastructure

● x86-64 architecture is required

● Minimum 2 CPUs, 8GB RAM, 40GB disk space

Virtual appliance virtual image (OVA)

1. Log in to IntSights platform

2. Navigate to Automation -> Integrations

3. Click “Download”

4. Save the OVA file

Deploy OVA (ESXi Only)

1. Upload and deploy the OVA to the HyperVisor (use default settings)

2. Choose appropriate networks, storage, etc.

3. Create a new virtual server

If you are using Microsoft Azure / Amazon AWS infrastructure, please contact IntSights to
schedule an installation.

Initial settings configuration

1. Start the newly created virtual machine.

2. Open the console.

3. Login with the credentials: admin/admin.

4. Change the default UNIX admin password.

5. You should see the Welcome screen:

6. Network connectivity verification - by default, the appliance uses DHCP. If you

have DHCP enabled, validate that the appliance has acquired the appropriate
networking settings:
Choose Network Settings > Show > IP / DNS

7. Change to a static IP address.

8. Choose Network Settings > Set > IP > Static

a. Input static IP address and DNS settings.

b. Apply changes.

It is highly recommended to use a static IP since this IP will be configured as a feed source in
the security devices. Retain the IP address, as you will need it to log in to the web console

First login to the user interface

Make sure you have:

● The virtual appliance IP address or hostname

● The Account ID and API key

Obtain the API key from the Integration page in the cloud platform

1. Navigate to https://<virtual appliance IP address>

2. Follow the Initial Settings wizard:

a. Proxy configuration (optional)

b. Click Next.

c. Input Account ID and API key

d. Create an Admin user. This user is different from the Admin user
created previously and is used only for web access to the virtual
appliance.

e. Click Next.

f. System might start an update process.

g. When finished, you should see the main virtual appliance configuration
page

Upgrade
There are two options to perform an upgrade

● From the IntSights cloud platform

● From the virtual appliance

From the IntSights cloud platform

1. Login to your Threat Intelligence

2. Navigate to IOC Management - > Dashboard

3. If there is an upgrade available, you will see a notification in the top of the
page

4. Click ‘Upgrade'

Virtual appliance dashboard

1. From the virtual appliance Management console navigate to Settings.

2. In the Information section click ‘CHECK FOR UPDATE’.

Make sure you are using latest software release before proceeding with adding devices.

Device Integration

Integration with devices

Overview
To successfully configure Integration with a security device, you will need to complete
the following steps:

1. Integrate the devices with the virtual appliance.

2. Create at least one policy rule to share threat indicators with the device.
Note: You can also create an IOC group and link it to the device without a
policy rule, this will be explained later.

3. Complete the required configuration in the device to use the IOC retrieved
from the virtual appliance.

Integration types
There are two types of integration methods - “Push” and “Pull”:

Pull
The device pulls IOCs from the virtual appliance in a predefined schedule.

Push
The virtual appliance connects to the device and pushes new IOCs periodically.

Supported devices and connectivity methods

Device Version* IOC Share method Credentials

Palo Alto Firewall 7.1 or higher** Pull N/A

Bluecoat ProxySG 6.6.4.x Pull N/A

Splunk Enterprise Security 4.5 or higher Pull N/A

Carbon Black Response 5.1.x Pull N/A

Fortinet FortiSIEM 5.4.x Pull N/A

Fortinet Fortimanager 5.4.x Push - HTTPS (443) Admin user

IBM Qradar 7.3.x Push- HTTPS (443) Admin user

Forcepoint Triton Ap-Web 8.3 or higher Push - TCP 15873 API account

Palo Alto Firewall 6.0.x-7.0.x Domains, URLs - Push User with Read/Write access to the Rest API
http/https

IPs - Pull

Check Point Firewall R77.30 Push - SSH (22) Admin user with BASH as default shell (IOCs are
pushed through SSH)

Splunk Standalone 6.5.3 Push - 8090 User with Read/Write access to the Rest API

Active Directory Windows server Push Domain user

2012 and up

ArcSight ESM (SIEM) Pull

Zscaler Web Push – HTTPS (443) Console user and API key

LogRhythm (SIEM) Pull (TAXII)

Microsoft O365 – Exchange Latest (Cloud) Push – HTTPS (443) Office 365 admin username and password
Online

McAfee ESM (SIEM) Pull N/A

Step 1 - Add device to the appliance

1. Log in to the virtual appliance.

2. Navigate to the Devices page.

3. Choose one of the following options:

a. Devices (Pull) for devices that use the Pull method

b. Devices (Push) for devices that use the Push method

c. Active Directory

For ‘Pull’ devices you only need to provide the IP address or hostname of the device.

4. Click Add new device.

5. Input required information:

a. Unique device name (e.g. ‘PaloAlto External’).

b. Device type from the devices dropdown menu.

c. Credentials (User/Password) for a user account with required

permissions (ref. ‘Supported devices and connectivity methods’).

d. IP Address or Hostname

6. Click Create

7. Validate device connectivity

8. Also verify that the device appears in the integration page in the cloud
platform

Step 2 - Creating automation rules

Automation rules allows you to configure automatic IOCs sharing (and other actions)
with relevant devices. The building blocks of the automation policy:

Policy

Group of rules for the same threat type (eg Phishing, Data Leakage, IOC Management
etc)
There are 2 types of policies:

● Tailored intelligence – Handle tailored intelligence alerts

● IOC Management – Handle general threat indicators

Rule

Set of conditions and actions that define the automation behavior. Each rule is
combined of:

● Threat profile – Defines the alerts or general risk that will be handled by the
rule

● Internal remediation – Remediation actions provided by the organization

internal security systems. For example, blocking a phishing domain in the web
gateway

● External remediation – Remediation actions provided by Insights. For

example, removing the registration of a phishing domain

● Action – General actions such as send email or assign.

IOC group

A container of threat indicators (IOC). Each rule in the policy must be linked to an IOC
groups and the IOC group must be linked to a device. The list of IOCs in the IOC group
will be shared (Pull / Push) with the device

How to create tailored intelligence automation rules

1. Log in to the threat intelligence platform in the cloud.

2. Navigate to the Automation -> Policy page

3. Select the threat type you want to mitigate

4. Select the policy you want to use based on the threat you want to mitigate.

in this example we are creating a Phishing policy to automate remediation of

suspicious domains

5. Click ‘Add new rule’

6. Add a rule name

Threat profile section

1. Select the required threat type

2. Select any other threat condition to meet your threat definition

If a condition does not have any value selected, it means that it will not be considered
as a criteria for matching alerts

3. Select general conditions

4. Select Alert severity

5. Click Next

Internal remediation section

1. Enable IOC sharing

2. Select the device to share IOCs with

3. Create an IOCs group

In this example the ‘Domain’ type is pre-selected automatically since it a phishing

domain alert

4. You should see the newly created IOC group linked to the device

IOC group created will be available for the same device in all other policies

5. Skip the external remediation section

This section is for external takedown service offered by IntSights.

6. Add a general action (Optional)

7. Click ‘Save’

8. Select if to include historical alerts

Historical alert selection is available only at the first initial time you create the rule,
and can not be modified once enabled

How to create IOC management automation rules

1. Log in to the threat intelligence platform in the cloud.

2. Navigate to the Automation -> Policy page

3. Under IOCs management select ‘IOCs’

4. Click ‘Add new rule’

5. Under IOCs profile select:

a. Severity

b. Type

c. Last seen date

6. Under IOC feed select one or more IOCs feeds

7. Under IOCs Sharing select the device and IOCs group

8. Click finish

Integration with MS Active Directory

Overview
Active Directory integration allows the IntSights platform to provide indication and
mitigation for leaked user account credentials. In case the system locates a user
account that was leaked, it validates it with Active Directory if the account is valid and
sets the severity level in accordance.

When a leaked account is found, the account name is searched across one or more
domains, so even if the external domain (the one that was configured as an asset and
that triggered the alert) is different than the internal domain, the system will still find
the account.

1. Example:

The system finds two leaked credentials of company users:

[email protected]

2. The system checks if users ‘bob’ and ‘john’ appear in the following domains

Internal.company.com

company.com

3. The system finds the account of [email protected].

4. A high severity alert is created stating that ‘[email protected]’ is an active

account.

On top of active account validation, the system can validate if the matching clear text
password is valid or not.

Prerequisites:
● Network connectivity over LDAP or LDAPS from the virtual appliance to the
required domain controller/s.
● List of one or more domains that hold the user directory.
The list of domains will be used as a baseline for searching active users.
● List of corresponding Domain Controller/s IP address per domain.
● A domain user and password
● For account and password validation
Use a dedicated service account, with the minimal permissions necessary. There
is no need for administrative privilege or specific group membership.

○ "Write account restrictions" to be allowed for this service account in the

AD permissions

● For remediation
Use a dedicated service account, with permissions to perform the required
remediation actions.

○ “Write account restrictions" and "Reset password" should be allowed for

this service account in the AD permissions

Adding Domains and Domain controllers

1. Navigate to the Active Directory tab

2. Click Add new domain

3. Input required information:

○ Domain name

○ User account and password

○ One or more domain controller IPs

○ Set the port and mode for LDAP

○ Click Add.

4. Repeat the process for adding more domains.

Active Directory settings in the cloud platform

1. Navigate to Automation -> Integrations

2. Select the Microsoft Active Directory

If needed enable password policy validation and login attempt rate limit

Active Directory in the policy

1. Create a new rule of type ‘Data leakage’

2. Define leaked credentials related conditions

3. In the internal remediation tab enable the validation and / or remediation

actions

Remediation option can be enabled only if ‘Leaked user account and password
validation’ is enabled

Device side configuration

Palo Alto Networks Panorama or

Firewall

In order to successfully integrate with the device make sure to complete:

● Step 1 - Add device to the appliance
● Step 2 - Creating automation rules

Background
IntSights platform shares threat indicators with Palo Alto Panorama or Firewall by
adding IOCs to a Dynamic object group. The Dynamic group is then used in the Palo Alto
Firewall policy in the Sources or Destination sections of the rule.

Palo Alto Dynamic object groups can include on type of IOC. This means that you need to have
separate groups for IP, Domains or URL IOCs.

PAN-OS Version 7.1 and up

Palo Alto Firewall uses External Dynamic Lists to pull IOCs from IntSights. In its current
state, you are required to create separate integration instances and IOC bundles per
IOC type (URL, IP or domain).

Note: Make sure to copy the IOC group URL from the device instance in the
integration page

Create External Dynamic List

1. Navigate to Objects > External Dynamic Lists.

2. Click New.

3. In the Type dropdown list, choose the IOC type.

Make sure to choose the same IOC type you configured in (IP List in this example).

4. Under Source, enter the URL from which you copied.

Create Security policy:

1. Create or edit an existing security policy.

2. Use the Dynamic list in either source or destination.

3. Repeat the process for domains or URL lists.

Versions 6.x-7.0.x
In PANOS versions 6.x-7.0.x, the process of populating an IP list is different from the
process of populating domains and URLs.

IOC of type IP

Use the same Pull method as described for PANOS 7.1, with the exception that one
must use a Dynamic Block List object instead of a Dynamic External List, as in PANOS
7.1.

Make sure to copy the IOC group URL from the module -> Integration page.

IOC of type Domain and URLs

virtual pushes URLs and Domain lists to a custom object of type URL Category

Here is an example of a URL Category. The List name is Domain, and the device is
PAN_6:

Create Security policy

1. Create or edit an existing security policy.

2. Add the URL Category

3. Use the block list in either source or destination

Check Point Firewall

In order to successfully integrate with the device make sure to complete:

● Step 1 - Add device to the appliance
● Step 2 - Creating automation rules

Perquisites
Management server version R77.30 with R77.30 Add-On (Check Point solution ID:
sk105412)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails
=&solutionid=sk105412

Make sure you install the required add-on to the gateway before you proceed.

How it works
In this Integration, the virtual appliance is updating the indicators file on the
Management server (e.g., ’SmartCenter’) which is then updating the threat prevention
blade of each of the relevant Firewall gateways.

1. Every time the IOC bundle changes (new IOCs added) open an SSH connection to
the Management server, and login using an admin account with expert/bash
access.

2. The virtual appliance copies a file containing the latest IOCs bundle in CSV format
to the Management server.

3. It issues the following command to update the new indicators:

load_indicators --add -i {indicators_file_path} -a {action}

4. It issues the following command to reload the threat prevention policy:

fwm load -p threatprevention Standard

How to add the device

1. Add the Management server for integration in

Account credentials need to allow user to expert mode / BASH

2. Create the IOC bundle in the module in the cloud.

3. Note that while creating the bundle for a Check Point device you define
the action type: M
onitor / Block

4. Add IOCs sources and types.

5. Log in to the Management server.

6. Verify indicators are pushed to the gateways:

i. Login to SmartDashboard.

ii. Navigate to > Threat Prevention.

iii. Under Indicators you should see all the IOC lists that have been
pushed to the Firewall:

BlueCoat Proxy

In order to successfully integrate with the device make sure to complete:

● Step 1 - Add device to the appliance
For devices using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

In this integration, the BlueCoat proxy gateway pulls the IOCs from the appliance. Make
sure to copy the URL from the Automation -> Integration page.

1. Log in to the BlueCoat management console.

2. Navigate to Configuration > Content Filtering > Local Database.
3. Enter the IOC group URL.
Make sure to replace [INTSIGHTS_APPLIANCE_IP] with the IP address of the
appliance.
4. Create or change your policy to include the new indicators to block.
5. Deploy changes.

Splunk Enterprise Security

In order to successfully integrate with the device make sure to complete:

● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

In this integration, Splunk ES pulls lists of IPs, URLs, or domains from the appliance. Due
to limitation in Splunk you will need to create two IOC groups: one for IPs, and one for
domains and URLs.

1. Log in to Splunk Enterprise Security management console.

2. Navigate to Configure > Data Enrichment > Threat Intelligence Download.

3. Click New.

4. Enter the URL for the relevant bundle.

Make sure to replace [INTSIGHTS_APPLIANCE_IP] with the IP address of the
appliance.

5. Make sure the below fields have the required values:

1. For IPs bundle:

2. For Domains and URLs bundle:

6. Deploy changes.

Splunk Standalone (Without ES)

In order to successfully integrate with the device make sure to complete:

● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

In this integration, the virtual appliance can send:

● Threat Indicators
● Tailored intelligence alerts

Pushing alerts applies to both standalone version and Enterprise Security version,
though it’s only used through the standalone data inputs.

Threat Indicators

Prerequisites

Create a hidden Splunk app and pushes IOCs.

Execute a setup script required for the Splunk standalone installation.

Follow the instructions here:

https://gist.github.com/hozez/917089bd9afe237b33d5f9d7601345b5

Once you have added Splunk to the appliance integrations, you will see the IOC app in
the list of apps.

Tailored intelligence alerts

Background

Pushing alerts to Splunk is done vis the HEC (HTTP Event Collector). Before you add the
Splunk to the Virtual appliance or if you are using an existing integration make sure to
generate a HEC token as described below

Prerequisites

Create an HEC token

Integrate Splunk to the virtual appliance (or add the HEC Token to an existing
integration)

Enable Alerts pusing in the Splunk instance in the cloud platform

What the hec is HEC (HTTP Event Collector)?

The Splunk HTTP Event Collector (HEC) helps you send data to Splunk Enterprise and
Splunk Cloud. HEC lets you send data, application logs, and metrics over HTTP (or HTTPS) directly
to Splunk Enterprise or Splunk Cloud from your application. HEC operates with tokens, which
means you do not need to embed Splunk Enterprise or Splunk Cloud credentials in your app or
supporting files.
From S
plunk documentation page

Creating a HEC token

1. On splunk page, click the Settings menu, and then choose Add Data.
2. Choose monitor category, and on the left menu choose HTTP Event Collector.
3. Fill in the desired name of the HEC token (e.g intsights_alerts)

4. Click Next.
5. On S ource Type, choose S
elect , filter and choose _ json.

6. Press Review, and Submit
7. Copy the toke value and use it in the Virtual appliance to add a Splunk
integration or edit an existing one

IBM Qradar

In order to successfully integrate with the device make sure to complete:

● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

1. Log in to Qradar security intelligence.

2. Navigate to Admin -> Authorized services:

3. Click Add Authorized Service:

4. Fill out the required fields:

a. Service Name: IntSights

b. User Role: Admin

c. Security Profile: Admin

5. Click Create Service.

6. Copy the authentication token.

7. Add Qradar as a Push device to the virtual appliance using the credentials and
token you just created.

a. URL/IP: Qradar IP address

b. API key: The Token you created in step 6

8. Create at least one IOC list for the Qradar device.

9. Under “Reference Set Management” you will see the IOC lists that were added.

Forcepoint Triton (Websense)

In order to successfully integrate with the device make sure to complete:
● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

Prerequisites
1. Triton Management server

2. Policy Server with API

3. API account

The policy server API module is not installed by default and can be installed only on
Linux. Ref: Linux management API install
http://www.websense.com/content/support/library/web/v83/mgmt_api_install/install_
guide.pdf

How to
1. Add the policy server as a Push device to a virtual appliance.

2. Create at least one IOC list for the Forcepoint device.

3. Log in to the Triton Management console as a ‘super admin’.

4. Navigate to Policy Management -> Filter components -> Edit Categories.

5. You should see the IOC list name as a category.

Carbon Black
In order to successfully integrate with the device make sure to complete:
● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

How to
1. Log in to the Carbon Black Management console.

2. Navigate to Threat Intelligence.

3. Click Add new feed.

4. Enter the URL from which you copied.

5. Make sure to replace [INTSIGHTS_APPLIANCE_IP] with the IP address of

the appliance.

6. The new feed is added:

Fortinet FortiSIEM
In order to successfully integrate with the device make sure to complete:
● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

Configure the FortiSIEM

1. Log in to the Management console.

2. Navigate to CMDB.

3. Choose the Malware IPs category.

4. Click the + sign at the top left of the pane.

5. Fill in the details as shown below

6. ClickOK.

7. Click on the newly created group

8. Click the Update button at the main pane.

9. Check the Update via API button and Click Add.

10. Fill in the details:

i. URL - The URL created in the Automation -> Integrations page

ii. Plugin class - leave unchanged

(com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPoli
cyService)

iii. Field Separator - change to dash “-”

iv. Data Format - choose CSV, Full

v. Data Mapping -

1. Click the + sign in the Row column.

2. Change the first map field to Low IP.

3. Change the second map field to High IP and change its

position to 2.

4. Click Save.

11. Click the green + and choose the desired update schedule.

12. Click OK.

13. Click Close.

Configuration for IOC of type Domain

1. Choose the Malware Domains category.

2. Click the + sign at the top left of the pane:

3. Fill in the details as required:

4. Click OK.

5. Enter the created group:

6. Click the Update button in the main pane.

7. Check the Up

date via
API button, and click Add.

8. Fill in the details:

9. URL - given URL from the appliance

a. Plugin class - leave unchanged

(com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPoli
cyService)

b. Field Separator - Leave unchanged “,”

c. Data Format - choose CSV, Full

d. Data Mapping

e. Click Save.

10. Click the green + and choose the desired update schedule.

11. Click OK:

a. Click Close.

Configuration for IOC of type URL

1. Choose the Malware URLs category.

2. Click the + sign at the top left of the pane:

3. Fill in the details as required:

4. Click OK.

5. Enter the created group:

6. Click the Update button in the main pane

7. Check the “Update via API” button, and click Add.

8. Fill in the details:

a. URL - given URL from the appliance

b. Plugin class - leave unchanged

(com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPoli
cyService)

c. Field Separator - Leave unchanged “,”

d. Data Format - choose CSV, Full

e. Data Mapping - leave unchanged

9. Click Save.

10. Click the green + and choose the desired update schedule.

11. Click OK.

12. Click Close.

Fortinet FortiManager
In order to successfully integrate with the device make sure to complete:
● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

How to
1. Log in in to Fortimanager Management console.

2. Navigate to Policies & Objects -> Objects Configuration -> Security Profile
-> Web filter

3. You should see the IOC list you created.

4. Use the web filter in the Fortimanager policy:

Micro Focus ArcSight ESM

Background
In this integration the virtual appliance sends IOC with context to the ArcSight SIEM. IOC
with context includes, on top of the IOC value (IP address, Domain, URL or Hash)
contextual information about the threat related to the IOC.

Contextual data is sent by default for all IOCs, there is no need to enable it specifically

Requirements
1. ArcSight Management (ESM)

2. FlexConnector installed

3. ArcSight Console

FlexConnector Configuration File

1. You will first have to add a configuration file to the following folder:

C:\ProgramFiles\ArcSightSmartConnectors\current\user\agent\flexagent\intsights

2. File name MUST be ‘intsights.sdkibdatabase.properties’

3. The content of the file is as follows:

version.order=1
version.id=10.1
version.query=SHOW server_version
query=SELECT ioc_id, ioc_type, ioc_value, ioc_action, batch_id FROM iocs WHERE
batch_id > ? ORDER BY batch_id ASC
# more properties
maxid.query=SELECT max(batch_id) FROM iocs
id.field=batch_id
uniqueid.fields=ioc_id
# event mapping
event.deviceCustomString1=ioc_value
event.deviceCustomString1Label=__stringConstant("IOC value")
event.deviceCustomString2=ioc_type
event.deviceCustomString2Label=__stringConstant("IOC type")
event.deviceCustomString3=ioc_action
event.deviceCustomString3Label=__stringConstant("IOC list action")
event.deviceVendor=__stringConstant("Intsights")
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")

FlexConnector Agent Configuration

1. Start the ArcSight FlexConnector Setup Wizard
2. Add new ID-Base Database FlexConnector
3. In the configuration dialog, enter the following values:
○ JDBC driver: org.posgresql.Driver
○ Database URL: jdbc:postgresql://appliance IP]/agent
○ User: arcsight
○ Password: arcsight
○ Configuration folder: intsights
○ Query Frequency: 5
○ After entering the values, the dialog should look like this:

4. Resume the wizard normally.

After configuring the FlexConnector, events will be received by the ArcSight

deployment. The events will have the following fields set:

4. The content of the file is as follows:

device vendor - "Intsights"

device product - "Intsights Virtual Appliance"
device custom string 1 - the type of the ioc (ip/domain/url/filehash)
device custom string 1 label - "IOC Type"
device custom string 2 - the value of the ioc (i.e. 1.1.1.1, www.google.com
http://google.com/?q=123)
device custom string 2 label - "IOC Value"
device custom string 3 - either 'add' or 'delete'
device custom string 3 label - "IOC list action"

At this point, we describe our best-practice for creating and populating
ArcSight Active Lists that contain IOCs.

Create Active List

1. Log into the Arcsight Console.

2. Select Lists.

3. The Active Lists are field-based.

Create four Active Lists, one for each IOC type (IP, URL, Domain and Hash):

Type should be: ‘String’, except for IP where the type should be ‘IP Address’

Create ‘Add’ rules

1. Create four rules; each one populates an Active List according to the IOC type.
The rules should be linked to the RealTime rule list;

2. Example rule for domain IOC;

Attributes

Conditions:

Aggregation:

Actions

Create ‘Delete’ rules

1. Create four rules: each one removes an IOC from the Active List according to the
IOC type. The rules should be linked to the RealTime rule list:

2. Example rule for domain IOC:

Attributes:

Conditions

Aggregation:

Actions:

Please note that only for IOC type IP the field value in the rule should be ‘StringToIP’
instead of ‘Custom String1’ that is used for Domain, URL and Hash IOCs

Once the Active Lists are in place, it is possible to create block/monitor rules, along with
more sophisticated deployments.

McAfee ESM
In order to successfully integrate with the device make sure to complete:
● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

Integration with McAfee ESM includes two steps:

1. Create a watchlist

2. Create an alarm

Create a watchlist:
1. Log in to McAfee ESM Management console.

2. Select Watchlists:

3. Select a Watchlist and click Add:

4. Main tab - Add Watchlist details

a. Name – custom name

b. Set type to: Dynamic.

c. Enable automatic updates.

d. Set update interval to 15 minutes:

5. Sources tab - Add Source details

a. Set the HTTP/HTTPS source type.

b. Add the URL taken from the device integration IOC list (ref page 14).

c. Authentication: None

d. Method: GET

e. Test connection

5. Parsing tab - Set Parsing details

a. Set the regular expression value to:+

b. Set 'Matching Group' to: Group1

6. Values tab - Set and test values

a. Click run, you should see the IOC values.

b. Finish

Create an alarm
1. Select Watchlists

2. On the Alarms tab, select an alarm and click Add.

3. Under Condition, add your Match condition. The example below uses
‘Field Match’ to match between Domains and File Hashes to IOCs from
IntSights.

LogRhythm SIEM
In order to successfully integrate with the device make sure to complete:
● Step 1 - Add device to the appliance
For device using ‘Pull’ mode don't forget to copy the IOC group URL
● Step 2 - Creating automation rules

● Logrhythm integration is based on a TAXII Server hosted on the virtual appliance.

● The integration supports multiple IOC groups, where each group support
multiple IOC types (eg. Domain, IP or URL).

● Each IOC group is translated by the system to a TAXII collection, and the IOCs are
converted to STIX documents that are pulled by the LogRhythm device.

Prior to performing the steps below first complete steps 1 and 2 in this guide (add the
LogRhythm to the virtual appliance and sync IOC groups).

Update hosts file

1. Log into the server hosting the LogRhythm

2. Start command line as Administrator

3. CD to the directory C:\Windows\System32\drivers\etc" and type "notepad hosts"

4. Add an entry with the IP address of the appliance and point it to ‘agent-taxii’

5. Make sure only one record is ‘agent-taxii’

Logrhythm configuration & testing

1. Log into the Windows server hosting the LogRhythm

2. Click ‘Add STIX/TAXII Provider’ button in the top right

3. Fill in the details as below

1. User = logrhythm

2. Password = l ogrhythm

3. Endpoint
https://<appliance ip addr>:9000/services/collection-management-logrhythm
Make sure to input the IP address if the virtual appliance in the URL

4. Threat Provider Name = <Any value, but remember your choice>

5. Click ‘Test’ to see if it works, and then ‘Save’

1. If you see error like ‘Feeds not found for the provider’ it means
everything works properly, but no IOC groups are configured on
the IOC management module.

2. “Exception while testing … : The underlying connection was closed”

- just try again, this is a random error that indicates nothing
usually.

3. “Exception while testing … : Unable to connect to the remote

server” this means the IP is incorrect, or the appliance is not
reachable from the LogRhythm, or the port is incorrect.

6. You might see something as below

Click ‘Download Now’ button

Zscaler Web protection

Required information

● Url to access the Zscaler console

● Zscaler console Username & password

● API key (Get it from the Zscaler console)

1. Login to Zscaler dashboard

2. Go to Administration -> URL Categories

3. Under user defined you will see the IOC groups and the IOCs

Microsoft Office 365 – Exchange Online

Background
IntSights platform shares threat indicators with Exchange online and uses the

Exchange ‘protection’ module to block attacks.

Domain IOCs – Are added to the protection spam filter blocked domain list

IP Address IOCs – Are added to the protection connection filter IP block list

URL IOCs – Are added to the ATP Safe Links

NOTE: This requires the Office 365 Advanced Threat Protection module (Part of the
Enterprise E5 subscription or as an add on to other subscriptions types). If your
environment does not include it, do not select URLs IOCs for sharing with Exchange.

Integrate with Office 365

1. Log in to the virtual appliance.

2. Navigate to the Devices page.

3. Choose: Devices (Push) -> Microsoft Exchange Online

4. Name: Enter a unique device name

ttps://outlook.office365.com
5. URL/IP: h
6. Account credentials:
1. Admin – Your Office 365 admin account (e.g
[email protected])
2. Password
7. Spam Filter Identity: The name of the spam filter policy to be used
NOTE: It is advised to use a dedicated policy for this purpose

8. Test connection.
9. Click Create.

Create policy rule and IOC Group

Create at least one automation rule so selected IOCs will be sent to Exchange
1. Login to IntSights platform in the cloud
2. Navigate to Automation -> policy
3. Create a new rule and select the required attributes in the threat profile
section:

4. In the Internal remediation section select an IOC group that is linked to the
Exchange online

Exchange online configuration

No specific configuration is required to see the IOCs, but you can change the

spam filter configuration to meet your environment requirement.

Example:
1. IP IOCs
Will appear under the default policy -> Block lists -> Domain Block list

2. Domain IOCs
Will appear under the SPAM policy -> Block lists -> Domain Block list

Appendix
How to install a new certificate

1. Connect to the virtual appliance via SSH

2. Change to expert mode (Type 'expert')

3. Type the following command to enter a shell inside the appliance external
connection service.

docker exec -it agent-synchronizer bash

4. You should see the following new prompt

root@agent-synchronizer:~/agent/agent_services/synchronizer#

5. Input

cd /usr/share/ca-certificates

6. Create a new directory named 'custom'

7. Copy the certificate to the new directory

/usr/share/ca-certificates/custom/[Certificate].crt

8. Apply required permissions

chmod 644 custom/[Certificate].crt

9. Install require linux package

apt install ca-certificates

10. Run

pkg-reconfigure ca-certificates

11. Type Exit

12. Repeat steps 1-8. Instead of stage 0 do this -

docker exec -it coordinator bash

this will enter a shell inside the appliance external connection service. After
this step your shell prompt will look like this -
root@intsights-agent:~/agent/agent_services/coordinator

Answers To Study Questions - Information Systems For Business and Beyond
100% (1)
Answers To Study Questions - Information Systems For Business and Beyond
14 pages
All CMD Comands
100% (2)
All CMD Comands
5 pages
CCNA 3 and 4 Companion Guide, 3rd Edition (CNAP)
100% (1)
CCNA 3 and 4 Companion Guide, 3rd Edition (CNAP)
9 pages
ForeScout Company Brochure
No ratings yet
ForeScout Company Brochure
6 pages
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassoulii
No ratings yet
Best Practice Security VMware Horizon
No ratings yet
Best Practice Security VMware Horizon
18 pages
VMware View AntiVirusPractices TN en
No ratings yet
VMware View AntiVirusPractices TN en
18 pages
ETHICAL HACKING GUIDE-Part 3: Comprehensive Guide to Ethical Hacking world
From Everand
ETHICAL HACKING GUIDE-Part 3: Comprehensive Guide to Ethical Hacking world
POONAM DEVI
No ratings yet
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassouli
No ratings yet
on-premises-analytics-hyper-v-deployment-guide
No ratings yet
on-premises-analytics-hyper-v-deployment-guide
69 pages
On Premises Analytics Hyper v Deployment Guide
No ratings yet
On Premises Analytics Hyper v Deployment Guide
63 pages
Intrusion Detection Systems
100% (1)
Intrusion Detection Systems
93 pages
Portafolio LOL Educación
No ratings yet
Portafolio LOL Educación
2 pages
Check Point R7x Common Criteria Administration Guide
No ratings yet
Check Point R7x Common Criteria Administration Guide
171 pages
Transforming Security Through Visibility: Name Title
No ratings yet
Transforming Security Through Visibility: Name Title
16 pages
SY0-071-Module 4 Powerpoint Slides
No ratings yet
SY0-071-Module 4 Powerpoint Slides
358 pages
Hands-On Industrial Internet of Things: Build robust industrial IoT infrastructure by using the cloud and artificial intelligence
From Everand
Hands-On Industrial Internet of Things: Build robust industrial IoT infrastructure by using the cloud and artificial intelligence
Giacomo Veneri
No ratings yet
2012-02 FortiGate-VM01
No ratings yet
2012-02 FortiGate-VM01
6 pages
SG 247928
No ratings yet
SG 247928
258 pages
02.ForeScout Technical Presentation
No ratings yet
02.ForeScout Technical Presentation
73 pages
Vertiv Trellis Smart InfraSight Datasheet
No ratings yet
Vertiv Trellis Smart InfraSight Datasheet
2 pages
IntSights Modular Datasheet TIP IOC
No ratings yet
IntSights Modular Datasheet TIP IOC
2 pages
15-VPN, IPS Configuration-21-03-2024
No ratings yet
15-VPN, IPS Configuration-21-03-2024
51 pages
Arbor Virtual Sightline 9.4.0.0-Virtual Machine Installation Guide 2021-03-22
No ratings yet
Arbor Virtual Sightline 9.4.0.0-Virtual Machine Installation Guide 2021-03-22
32 pages
IBM Data Center Networking
No ratings yet
IBM Data Center Networking
260 pages
Deep Security Datasheet en
No ratings yet
Deep Security Datasheet en
4 pages
InsightVM Slide Deck
No ratings yet
InsightVM Slide Deck
169 pages
Internet of Things from Scratch: Build IoT solutions for Industry 4.0 with ESP32, Raspberry Pi, and AWS
From Everand
Internet of Things from Scratch: Build IoT solutions for Industry 4.0 with ESP32, Raspberry Pi, and AWS
Renaldi Gondosubroto
No ratings yet
Server Virtualization in Windows Server 2016
No ratings yet
Server Virtualization in Windows Server 2016
46 pages
FortiSIEM Feb 8th 2017
No ratings yet
FortiSIEM Feb 8th 2017
34 pages
The Internet of Things (IoT) in Industrial Automation: Industrial Automation, #4
From Everand
The Internet of Things (IoT) in Industrial Automation: Industrial Automation, #4
The Digital Allchemist
No ratings yet
Protecting Business-Critical Applications in A Vmware Infrastructure 3 Environment Using Veritas™ Cluster Server For Vmware Esx
No ratings yet
Protecting Business-Critical Applications in A Vmware Infrastructure 3 Environment Using Veritas™ Cluster Server For Vmware Esx
18 pages
Ministry of Energya S Cyber Security Center Eli Kaufman ICS OT Devices ...
No ratings yet
Ministry of Energya S Cyber Security Center Eli Kaufman ICS OT Devices ...
18 pages
Business Continuity Security
No ratings yet
Business Continuity Security
28 pages
Deep Security Datasheet
No ratings yet
Deep Security Datasheet
5 pages
Fortinet SDN Solution Brief
No ratings yet
Fortinet SDN Solution Brief
5 pages
Virtualization Technologies For Industrial Automation Internal Presentation
No ratings yet
Virtualization Technologies For Industrial Automation Internal Presentation
17 pages
cause
No ratings yet
cause
341 pages
9670 Greg Brown Presentation v1
No ratings yet
9670 Greg Brown Presentation v1
21 pages
Internet Computer: Redefining Digital Boundaries
From Everand
Internet Computer: Redefining Digital Boundaries
Oliver M.
No ratings yet
Administration Users Guide (2)
No ratings yet
Administration Users Guide (2)
811 pages
Ds FJ Ism en
No ratings yet
Ds FJ Ism en
7 pages
vsphere-foundation-solution-brief-v1
No ratings yet
vsphere-foundation-solution-brief-v1
4 pages
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
Byte Books
No ratings yet
Interscan Messaging Security Virtual Appliance Administrators Guide 90 Trend Micro instant download
No ratings yet
Interscan Messaging Security Virtual Appliance Administrators Guide 90 Trend Micro instant download
75 pages
Cloudbox Brochure (Extendida)
No ratings yet
Cloudbox Brochure (Extendida)
97 pages
External Configuration 5.2.5 - PDF
No ratings yet
External Configuration 5.2.5 - PDF
689 pages
HX DG V 5.3.0 PDF
No ratings yet
HX DG V 5.3.0 PDF
136 pages
IT Infrastructure and Emerging Technologies
No ratings yet
IT Infrastructure and Emerging Technologies
8 pages
Dell Eql Iscsi Sans WP
No ratings yet
Dell Eql Iscsi Sans WP
13 pages
40-Intrusion+Prevention+System
No ratings yet
40-Intrusion+Prevention+System
7 pages
Installing The Deep Security Manager
No ratings yet
Installing The Deep Security Manager
80 pages
Deep Security Container Protection Customer Presentation
No ratings yet
Deep Security Container Protection Customer Presentation
42 pages
Fortigate-Vm Cleaned
No ratings yet
Fortigate-Vm Cleaned
5 pages
Fortigate Virtual Appliances: Consolidated Security For Virtualized Environments
No ratings yet
Fortigate Virtual Appliances: Consolidated Security For Virtualized Environments
5 pages
Nagios XI: Comprehensive IT Infrastructure Monitoring
No ratings yet
Nagios XI: Comprehensive IT Infrastructure Monitoring
2 pages
HPE IMC iHATool Installation Guide 2024
No ratings yet
HPE IMC iHATool Installation Guide 2024
97 pages
VSICM8_M02_Overview_1123
No ratings yet
VSICM8_M02_Overview_1123
33 pages
REMOTE ACCESS VPN- SSL VPN: A deep dive into SSL VPN from basic
From Everand
REMOTE ACCESS VPN- SSL VPN: A deep dive into SSL VPN from basic
MAMTA DEVI
5/5 (1)
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Tim Speed
No ratings yet
Vmware v2d foundationRA
No ratings yet
Vmware v2d foundationRA
23 pages
How To Sell Hillstone 306. Cloudhive v2.8
No ratings yet
How To Sell Hillstone 306. Cloudhive v2.8
98 pages
Bc Vmw Telco Performance Dpu Offloading
No ratings yet
Bc Vmw Telco Performance Dpu Offloading
11 pages
Netskope Security Cloud DSM User Guide 3.0.0
No ratings yet
Netskope Security Cloud DSM User Guide 3.0.0
29 pages
The Best Tools: Soc Analyst
No ratings yet
The Best Tools: Soc Analyst
14 pages
Powerflex 520-Series Adjustable Frequency Ac Drive: User Manual
No ratings yet
Powerflex 520-Series Adjustable Frequency Ac Drive: User Manual
272 pages
10385-J UTBI-001 Manual
No ratings yet
10385-J UTBI-001 Manual
2 pages
FUSION M2 32 / 40: Laser System Manual - Model 13000 / 14000
No ratings yet
FUSION M2 32 / 40: Laser System Manual - Model 13000 / 14000
214 pages
AXIS P3807-PVE Network Camera: User Manual
No ratings yet
AXIS P3807-PVE Network Camera: User Manual
18 pages
Arizona Driver License Manual: and Customer Service Guide
No ratings yet
Arizona Driver License Manual: and Customer Service Guide
60 pages
What Is Zero Trust? Ultimate Guide To The Network Security Model
No ratings yet
What Is Zero Trust? Ultimate Guide To The Network Security Model
18 pages
How To Make and Implement A Successful Incident Response Plan
No ratings yet
How To Make and Implement A Successful Incident Response Plan
20 pages
Apexcen 2019 Ag PDF
No ratings yet
Apexcen 2019 Ag PDF
851 pages
(eBook PDF) The Architecture of Computer Hardware, Systems Software, and Networking: An Information Technology Approach 5th Edition download
100% (2)
(eBook PDF) The Architecture of Computer Hardware, Systems Software, and Networking: An Information Technology Approach 5th Edition download
57 pages
Computer NW Lab Manual
No ratings yet
Computer NW Lab Manual
24 pages
Lecture 2. Growth and Development of Ecommerce-Ecommerce Entities
No ratings yet
Lecture 2. Growth and Development of Ecommerce-Ecommerce Entities
8 pages
Session1 and For AT1 VicGov Cyber Incident Response Plan Template
No ratings yet
Session1 and For AT1 VicGov Cyber Incident Response Plan Template
26 pages
350 701 459qa
No ratings yet
350 701 459qa
193 pages
R18B Tech ECEIIIYearSyllabus PDF
No ratings yet
R18B Tech ECEIIIYearSyllabus PDF
36 pages
Yammer Security Policy
No ratings yet
Yammer Security Policy
37 pages
I Spy With My Little Eye: THINGS THAT SPY ON ME
100% (1)
I Spy With My Little Eye: THINGS THAT SPY ON ME
19 pages
HPE Aruba - Thuc Tran
No ratings yet
HPE Aruba - Thuc Tran
53 pages
Gujarat Technological University: Prime Institute of Engineering and Technology
No ratings yet
Gujarat Technological University: Prime Institute of Engineering and Technology
49 pages
MAHESH
No ratings yet
MAHESH
1 page
Introduction To Data Mesh
No ratings yet
Introduction To Data Mesh
5 pages
Junos Release Notes 19.4
No ratings yet
Junos Release Notes 19.4
359 pages
Aclc-Hong Kong - Data Communication & Networking Sy-20172 - Midterm Exam
No ratings yet
Aclc-Hong Kong - Data Communication & Networking Sy-20172 - Midterm Exam
1 page
Data Science & Big Data Analysis (ITS-836-55) University of The Cumberlands
No ratings yet
Data Science & Big Data Analysis (ITS-836-55) University of The Cumberlands
8 pages
advt_CORP_GRP_A_04_2024 (2)
No ratings yet
advt_CORP_GRP_A_04_2024 (2)
46 pages
Technician ICT
No ratings yet
Technician ICT
2 pages
Aztech Wireless Security
No ratings yet
Aztech Wireless Security
3 pages
Silver Oak College of Engineering & Technology: Time Table For Online Mid:Semester Examination (Summer-20211
No ratings yet
Silver Oak College of Engineering & Technology: Time Table For Online Mid:Semester Examination (Summer-20211
2 pages
Module 1 - Avamar Fundamentals
No ratings yet
Module 1 - Avamar Fundamentals
52 pages
Microsoft Official Course: Networking With Windows Server 2016
No ratings yet
Microsoft Official Course: Networking With Windows Server 2016
19 pages
Technical Interview Questions Active Directory and Networking - Part I
100% (29)
Technical Interview Questions Active Directory and Networking - Part I
90 pages
Capacity Planner Installation Guide
No ratings yet
Capacity Planner Installation Guide
24 pages
AccuLoad III-SA Operator Reference Manual
No ratings yet
AccuLoad III-SA Operator Reference Manual
26 pages
Martanto 2021 IOP Conf. Ser. Mater. Sci. Eng. 1088 012036
No ratings yet
Martanto 2021 IOP Conf. Ser. Mater. Sci. Eng. 1088 012036
7 pages
Quick Installation Guide-Outdoor Wireless AP Kits-HW6100
No ratings yet
Quick Installation Guide-Outdoor Wireless AP Kits-HW6100
6 pages
Phoenix v2 Ds GB Rev0
No ratings yet
Phoenix v2 Ds GB Rev0
2 pages