Threat Intel Integration supports STIX version 1.2 files containing information on malicious IP addresses, domains, URLs or user-agents.
Cognito monitors north-south and east-west traffic for the IoCs and will fire detections when a match is observed.
Threat Intel Integration augments the Cognito attacker behavior detection algorithms to amplify the attacker signal. The Cognito threat intelligence detections provide additional context for the detection event such as bytes sent and received, number of events, and a PCAP of the actual event.
Creating a Threat Feed
- In the UI under the Manage, Threat Feeds page.
- Add the required fields: .
- Click Save and click Open.
- Now Upload a STIX file of your choice containing the indicators of interest and select the relevant category (e.g., command and control).
If Cognito identifies a match, a Threat Intelligence Match detection fires on the offending host in the specified category.
The current supported observable for threat feeds are :
- We support up to 100,000 observables in one STIX file
- Max configurable threat feed duration is 90 days
- If the STIX file has expiry on the observables, we will use the data in the file for expiry instead the feed configuration
- Depending on the category selected, we will match in to out traffic or in to in (if category is Lateral for example)
- We match on IP, Domain, URL, User-Agent and User-Account observables
- User-Account is matched in Kerberos and SMB traffic
- Domain matches are for iSession metadata (i.e. DNS requests / HTTP host header / SNI of SSL)
- User-Agent and URL in HTTP traffic
- User-Account looks in RDP, SMB, RPC, NTLM, Kerberos
Automating STIX FILE upload
The upload of the STIX file can also be automated via the API.
Details of the threat feed API can be found in the REST API Guide under the Resources page in the UI. It is important that only high-quality threat or IoC feeds be uploaded to Cognito to avoid a high volume of matches on low-level threats.
There are also scripts available in our community tools
Where to obtain quality STIX Threat Feeds
You can use a number third party STIX providers on your exact needs. There are a number of both free and commercial STIX feeds available that best suits your needs. Vectra does not have any specific recommendations in this regard.
Can I directy pull third party feeds using the Vectra API
Vectra's API does not currently include functionality to directly download STIX/TAXII feeds from third parties, we are tracking a feature request.
One possible solution would be to use the Threat Feed Providers API to download the STIX file and then Upload it to Vectra using Vectra's APIs or Vectra Community API tools https://github.com/vectranetworks/vectra_api_tools/wiki/2.-Vectra-module#poststixfile
Where can I find a sample file for my testing?
Please see below sample_stix.xml file for reference. It contains examples of domain, IP and URL object observables.