diff --git a/content/en/security/threat_intelligence.md b/content/en/security/threat_intelligence.md index 47de2a16ae52f..059f62e11de0d 100644 --- a/content/en/security/threat_intelligence.md +++ b/content/en/security/threat_intelligence.md @@ -22,7 +22,7 @@ products: {{< product-availability >}} ## Overview -Threat Intelligence is reputation information that helps responders make informed decisions on attacks and compromises. +Threat Intelligence is reputation information that helps responders make informed decisions on attacks and compromises. Datadog curates commercial, open-source, and in-house threat intelligence indicators of compromise into categories and intents. Threat intelligence is updated at least once per day, per source. This data is used to enrich your logs and traces with relevant reputation information. @@ -52,7 +52,7 @@ With threat intelligence, reputation is key, but it must be weighed alongside ot Threat intelligence used in [Detection Rules][1] should reference the Datadog keys such as category (`@threat_intel.results.category`) and intent (`@threat_intel.results.intention`). Other keys should not be used. -## Transparency in Threat Intelligence +## Transparency in Threat Intelligence Datadog ensures transparency by providing external links to external threat intelligence sources associated with a detection. Threat intelligence curated by Datadog is ingested into the Datadog platform for enrichment and detection. Datadog does not send customer data to threat intelligence sources. @@ -60,11 +60,11 @@ The detections and enrichments are accessible in the UI and event JSON. ## Threat Intelligence Facets -Sources, categories, and intents are available as facets and filters on relevant product explorers. +Sources, categories, and intents are available as facets and filters on relevant product explorers. ### Threat Intelligence Sources -| Source | Category | Source Use Cases | Primary Products | +| Source | Category | Source Use Cases | Primary Products | |--------|------------|-----------|------------------| | Datadog Threat Research| scanners, Redis exploitation, Docker exploitation, malware, bruteforcer | Honeypots focused on software specific threats | ASM, CWS and Cloud SIEM | | [Spur](https://spur.us/) | residential_proxy | Proxies associated credential stuffing and fraud | ASM and Cloud SIEM | @@ -72,7 +72,7 @@ Sources, categories, and intents are available as facets and filters on relevant | [Abuse.ch](https://abuse.ch/) Malware Bazaar| malware | Malware on hosts | CWS | | [Minerstat](https://minerstat.com/mining-pool-whitelist.txt) | malware | Coinminer activity with known mining pools| CWS | | Tor | tor | Policy violations for user activity | ASM, Cloud SIEM, and CWS | -| [Threatfox](https://threatfox.abuse.ch/) | attack | Indicators of compromise (IOCs) associated with malware | Cloud SIEM, and CWS | +| [Threatfox](https://threatfox.abuse.ch/) | malware | Identify hosts communicating with known malware infrastructure | Cloud SIEM, and CWS | ### Threat Intelligence Categories @@ -90,19 +90,19 @@ Sources, categories, and intents are available as facets and filters on relevant | Intent | Use Case | |--------|----------| | benign | Corporate VPNs and informational enrichments | -| suspicious | Low reputation | -| malicious | Malicious reputation | +| suspicious | Low reputation | +| malicious | Malicious reputation | ## Entity Types -| Entity Type | Example | Use Cases | +| Entity Type | Example | Use Cases | |-------------|---------|-----------------------------| -| IP addresses | 128.66.0.1 | Identify IP addresses associated with attacks, command and control, and scanning activity | +| IP addresses | 128.66.0.1 | Identify IP addresses associated with attacks, command and control, and scanning activity | | domains | example.com, subdomain.example.com | Domains associated with malicious use. Often used with malware as a command and control | | application packages versions | (example_package, 1.0.0) | Identify malicious packages downloaded from PyPi | | file hashes [SHA1, SHA256] | 5f7afeeee13aaee6874a59a510b75767156f75d14db0cd4e1725ee619730ccc8 | Identify a distinct file associated with malware or compromise |
-**Note**: Threat intelligence sources and categories are not configurable at this time. +**Note**: Threat intelligence sources and categories are not configurable at this time. ## Further Reading