This post is the first of a series on Threat Intelligence Automation topic
Post 2: Foundation: write a custom prototype and SOC integration
Post 3: Export internal IoC to the community
Post 4: Search received IoC events with Splunk
Post 5: Connect to a TAXII service
Last slide at my HackInBo talk (italian) was about how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center (i-SOC) SPLUNK engine to reduce the time spent by SOC security analysts on IoC (Indicators of Compromise) analysis.
At the time I was testing an open source project from PaloAlto: MineMeld. It was the right choice; after extensive tests MineMeld now help me to solve the challenges I had in the past while playing with IoC coming from various threat intelligence sources: collection automation, unduplication, aging and SOC integration.
MineMeld can also share our internal IoC to the italian infosec community we are now building from the ground. We are working hard on this and I’m really confident we will succeed (want to join? DM me on twitter or in the comments). Continue reading “MineMeld: threat intelligence automation – architecture and hardening ”