Configuring the ThreatList SIEM service.

Overview

ThreatLIST provides SIEM enrichment options for network, security, and incident response professionals.

Our database of IP and domain threats can be used to enhance research and forensics, local reporting and network traffic correlation, and as a data enrichment tool for SIEM software (Splunk, QRadar, ArcSight, LogRhythm…)

ThreatSTOP’s ThreatLIST allows you to consume dynamically updated information about the threats targeting, or already present within your network.

ThreatLIST is easily configured to:

  • Include the security policy categories meaningful to you
  • Integrate with your existing hardware and software platforms
  • Contain the desired historical and contextual meta data about IOCs

Access to this feature

Access to this feature must be enabled in your product plan. Please contact your ThreatSTOP representative if your current plan doesn’t include it.

Data Formats

ThreatSTOP SIEM integration is available in Splunk, Suricata and Domain-Only formats.

  • Splunk files are in a CSV format with the following headers:
    "IOC","Category","SubCategory","Severity","FirstSeen","LastSeen","Geo","IOC Type"
    
  • Geo field is ISO-8859 encoded. All other fields are 7 bit ascii.

  • Suricata files are formatted with one IoC per line with the following default format:
    'alert ip [%ioc] any -> any (msg: "[%blocker_desc %blocker_type]"); priority: %priority; sid: %sid;)'
    
  • Domain-Only files are formatted with one IoC per line with only the domain. This format only works for DNS Defense policies with domain IoCs.

Enabling ThreatLIST

There are several easy steps to configure your account to produce the files in the format desired.

  • Navigate to the SIEM Integration tab in the navigation menu
  • Using the dropdown, choose between Splunk (default) and Suricata format.
  • If you’ve chosen Suricata, you will need to describe the format of the line. Our default is:
    alert ip [%ioc] any -> any (msg: "[%blocker_desc %blocker_type]"); priority: %priority; sid: %sid;)
    

There are several variables that will be replaced with information about each indicator of compromise (IoC) when your file is generated:

  • %ioc is the ip address from ThreatSTOP
  • %blocker_desc is the name of source of the block
  • %blocker_type is the type of threat
  • %priority is how dangerous the threat is
  • %sid is an incrementing sid for suricata

  • If you’ve chosen Suricata, you will also be able to config the starting sid.
  • After changing your settings, click update.
  • After choosing your format, there are settings to configure on each device. Click on Devices menu entry.
  • For each device, click edit. There are two configurations to set by choosing from the dropdowns.

Threatlist IOC Type determines what type of IoCs will be included in your SIEM file. Your choices are:

  • IPs only
  • Domains only
  • IP

Threatlist Ioc Format determines if we will generate separate files for each IoC type or a single file. Your choices are:

  • Split IoC Types
  • All IoC Types in a single file
  • Save your changes.

Accessing the ThreatList files

The ThreatLIST files are produced every two hours and are made available for you at threatlist.threatstop.com. The files need to be accessed via SFTP. Credentials will be provided by our support team.

The files following this naming convention:

threatlist-<device id>-<ioc type>-<timestamp>.csv
threatlist-<device id>-<ioc type>-latest.csv

where:

  • device id is a unique identifier for the device that is associated with the ThreatList configuration
  • ioc type is ip, domain, or all (for ThreatList setting requesting both IP addresses and domains)
  • YYYYMMDD-hhmm is the timestamp at which the file was produced. The -latest file always points to the latest version.

For example:

threatlist-tdid_e9b5ca15-ip-latest.csv