See, Analyze, and Interact with Emerging Threat Data
Why It's Important:
You can’t fight an adversary you can’t see, and it’s extremely challenging to conduct an effective forensic investigation without analyzing all of the relationships that exist among artifacts and evidence
Threat intelligence artifacts (like IOCs) often come in a variety of formats, and correlating all of those artifacts can become very complicated very quickly – making it difficult to make progress and reach reliable conclusions from the data. Quite simply, it’s easy to get lost in all of the data, especially without any context.
Incident responders and SOC analysts need a visual map they can use on a daily basis for conducting investigations or hunting for anomalous activity.
Data visualization can provide an intuitive map for charting threat indicators, artifacts and assets, and their relationships to each other
In addition to viewing this data visually, it’s also essential to be able to manipulate and interact with the data – to pinpoint points of entry, establish logical relationships between assets, vulnerabilities and adversary activities, as well as to pivot from one artifact to another during an investigation.
Falcon Intelligence provides an API that allows subscribers to integrate our intelligence with a variety of data visualization tools (e.g. Paterva’s Maltego). By visualizing threat intelligence in context, incident responders and SOC analysts can sort through mountains of data to find the “golden nuggets” of information needed to hunt down adversaries, investigate incidents, and bolster defenses.
How It Works:
Falcon Intelligence provides specific emerging threat indicators and artifacts you need to hunt for attack activity throughout your enterprise
These include artifacts such as: domain names, IP addresses, URLs, filenames, hashes, malware signatures, registry key settings, known vulnerability data and more. In addition to this intelligence, Falcon Intelligence subscribers receive an API feed and a set of Maltego transforms to:
- Develop a visual map of adversaries and their TTPs and targets
- Aggregate a variety of data sources and raw data artifacts for ad-hoc query analysis
- Discover and analyze IOAs and IOCs across the environment
- Explore technical details about adversary tools and remediate accordingly
- Pivot between threat artifact details, and impacted and at-risk assets during investigations
- Bolster defenses based on emerging intelligence (update blacklists, ACLs, signatures, and correlation rules)