Intel management¶
You can leverage the Zeek Intelligence framework to match a list of IOC’s against live network traffic on the sensor. Use Corelight-update to validate and merge one or more threat intel files, and publish a single, integrated threat intel file.
Intel management settings¶
intel_management: intel_file_cleanup: true max_intel_file_age: 24 disable_filename: disable.intel
Every time a new intel file is generated, a copy of the file with the current timestamp is also created. The intel_file_cleanup
and max_intel_file_age
(in hours) control the retention of the timestamped copies.
Disable Threat Intel indicators¶
If provided, Corelight-update will also use an intel disable file disable_filename
to remove unwanted indicators from the published intel file, allowing you to effectively “disable” specific threat intel indicators.
The disable.intel file is a text file with a single column of indicators to remove.
indicator <disabled indicator value 1> <disabled indicator value 2>
Add Threat Intel sources¶
Threat intel sources are collections of IOC’s in Zeek compatible formatted files. These files can be provided by a variety of sources, including security vendors, and as open source IOC collections.
Corelight-update can pull threat intel sources hosted in local and remote repositories.
To add threat intel sources, you’ll configure them as Corelight-update Policy sources.
For an example of a third-party Threat Intel policy source configuration, see Threat intelligence source example
To review the order that the configurations are processed in, see Order of operations.