Threat Intelligence Based Alert

This may be an obvious question with an obvious answer but I couldn’t find anything in the Alerts pane in the ECA: Is there a way to create a Detection alert based on an uploaded threat intelligence package?

For example: I have a set of IoCs in the form of IP addresses that I’ve uploaded to the ECA and EDA in STIX format. Could I create an alert that fires when traffic over a specific protocol is detected to or from the IP addresses in that collection?

In general, we’ve found that most customers prefer to use metrics and records for monitoring TI hits, rather than creating a detection for it. You can create alerts using the built-in metrics for suspicious connections to be alerted in those cases.

If you want to make detections by suspicious IP, here’s a sketch of what that code would look like. There are some properties missing from the object passed to commitDetection, but the editor will help you fill in the rest of them.

if (!ThreatIntel.hasIP(Flow.client.ipaddr)) return;

commitDetection('inbound_ti_hit', {
    // Mark the TI hit as the most important participant, and the one causing
    // the problem; mark the device accepting the connection as the victim.
    participants: [
        { role: 'offender', object: Flow.client.ipaddr },
        { role: 'victim', object: Flow.server.device },
    ],
    // Create one detection per matched IP address
    identityKey: Flow.client.ipaddr.toString(),
});

// Substitute with your protocol(s) of choice
HTTP.commitRecord();

Currently, there is no way to know in the trigger which TI collection matched the IP address. This means you cannot choose to fire detections for some TI collections but not others. We’re exploring what it would take to do that, but don’t have a timetable for that change.

There are 5 (TCP in, TCP out, DNS request, HTTP host, URI) TI hit-based RBDs already in production, with a 6th for SNI being slowly rolled out.

Thanks for the input.
Regarding the metrics vs alerts vs detections, I need to be able to quickly send an email if there’s a traffic pattern indicative of a specific threat actor. For example: if there’s unusual encrypted DNS traffic to a TI IP and/or domain, or if there is a successful login to a client/server after multiple failed logins.