|
| 1 | +--- |
| 2 | +slug: /security/threat-intelligence/sumologic-global-feed-from-crowdstrike |
| 3 | +title: Sumo Logic Global Feed from CrowdStrike |
| 4 | +sidebar_label: Global Feed from CrowdStrike |
| 5 | +description: Learn about Sumo Logic's threat intelligence feed of indicators from CrowdStrike. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +In partnership with CrowdStrike, Sumo Logic maintains the **_sumo_global_feed_cs** [threat intelligence source](/docs/security/threat-intelligence/about-threat-intelligence/#threat-intelligence-sources), an updated threat intelligence database that can be correlated with log data through queries. The Sumo Logic / CrowdStrike integration has two parts: |
| 11 | +* Sumo Logic maintains an up-to-date copy of CrowdStrike’s threat database. |
| 12 | +* Sumo Logic customers can use the CrowdStrike database in threat analysis queries over their logs (through a [`lookup` operator](/docs/search/search-query-language/search-operators/lookup/)). For example, the [Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/) points to the **_sumo_global_feed_cs** source in its queries by [using the lookup search operator](/docs/security/threat-intelligence/find-threats/#use-the-lookup-search-operator). The app scans all Sumo Logic logs and parses (using regex) IP/Email/URL/Domain/File Name fields for comparison against the threat feed from CrowdStrike. Think of it as an Inner Join between parsed fields and the threat table. |
| 13 | + |
| 14 | +## Indicators of Compromise (IOC) |
| 15 | + |
| 16 | +The following [Indicators of Compromise](https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/indicators-of-compromise-ioc/) types are available from CrowdStrike: |
| 17 | +* ip_address |
| 18 | +* domain |
| 19 | +* url |
| 20 | +* email_address |
| 21 | +* event_name |
| 22 | +* x509_subject |
| 23 | +* ip_address_block |
| 24 | +* x509_serial |
| 25 | +* binary_string |
| 26 | +* service_name |
| 27 | +* user_agent |
| 28 | +* bitcoin_address |
| 29 | +* file_path |
| 30 | +* registry |
| 31 | +* username |
| 32 | +* file_name |
| 33 | +* password |
| 34 | +* campaign_id |
| 35 | +* mutex_name |
| 36 | +* hash_md5 |
| 37 | +* hash_sha1 |
| 38 | +* hash_sha256 |
| 39 | + |
| 40 | +### Samples for the different IOC types |
| 41 | + |
| 42 | +| IOC Type | IOC | |
| 43 | +|---------------|-------------------------------------------------------| |
| 44 | +| SHA256 | `6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536` | |
| 45 | +| SHA256 | `b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae` | |
| 46 | +| IP Address | `84.112.91.96` | |
| 47 | +| IP Address | `158.69.196.112` | |
| 48 | +| File | `updater.exe` | |
| 49 | +| File | `0.exe` | |
| 50 | +| URL | `http://tycahatit.ru/zapoy/gate.php` | |
| 51 | +| URL | `http://ningwitjohnno.ru/zapoy/gate.php` | |
| 52 | +| Domain | `9jdco01e.ru` | |
| 53 | +| Domain | `ningwitjohnno.ru` | |
| 54 | + |
| 55 | + |
| 56 | +| Hash MD5 | `9da2a54e98ddb9a0adb4ace3dda4d8e0` | |
| 57 | +| Hash MD5 | `832efb3fce4b1e16d610d5856f1401bb` | |
| 58 | + |
| 59 | +### Expiration of IOCs and threats |
| 60 | + |
| 61 | +IOCs and threats will often remain in the system because an IOC, such as an IP address, could go dormant and they reappear as part of another threat. Be aware that over the period, their malicious confidence can be downgraded or upgraded depending upon recent activity. |
| 62 | + |
| 63 | +### Unverified malicious confidence |
| 64 | + |
| 65 | +About 20% of the indicators are unverified. These unverified threats may be real threats, but the CrowdStrike team has not been able to assign a confidence level to them, so they remain in the unverified state. |
| 66 | + |
| 67 | +Unverified is usually an IP address related to a known bad adversary (like Deep Panda) and it’s an IP that was used at some point in that campaign. As we all know, IPs are dynamic. While Deep Panda utilized IP 201.22.52.32 at some point, it doesn’t mean that IP should be marked as bad or a threat, so we label it unverified. It’s more informational than actionable. CrowdStrike is looking at better ways to vet those IPs, for now it’s unverified. CrowdStrike advises you not to do anything with those IPs unless you're seeing malicious activity from one of them. If the state is ever updated, CrowdStrike will change the “last updated” timestamp and the new state will appear. In the meantime, you should treat them as possible candidates for analysis. |
| 68 | + |
| 69 | +CrowdStrike recommends that you start with the highest priority and work down the chain. |
| 70 | + |
| 71 | +## Actors |
| 72 | + |
| 73 | +Threats are grouped by actors, which are based on location. Some threats are tied to nation-state actors. For instance, “Panda” is the umbrella term for all nation-state activity tied to the People’s Republic of China. For more information, see [CrowdStrike documentation](https://www.crowdstrike.com/adversaries/). |
| 74 | + |
| 75 | +Non-nation-state-based threats are categorized by intention, not location. For instance, activist groups like the Syrian Electronic Army are categorized as “Jackal,” which expresses both intent and motivation. The following is the cryptonym system that CrowdStrike uses for threats categorization: |
| 76 | + |
| 77 | +* **Nation-State-Based threats** |
| 78 | + * Panda = China |
| 79 | + * Bear = Russia |
| 80 | + * Kitten = Iran |
| 81 | + * Tiger = India |
| 82 | + * Chollima (a mythical winged horse) = North Korea |
| 83 | +* **Non-Nation-State threats** |
| 84 | + * Jackal = Activist groups |
| 85 | + * Spider = Criminal groups |
| 86 | + |
| 87 | +## Fields in the raw JSON object |
| 88 | + |
| 89 | +--- |
| 90 | +#### `indicator` |
| 91 | +**Data Type:** string<br/> |
| 92 | +**Description:** The indicator that was queried. |
| 93 | + |
| 94 | +--- |
| 95 | +#### `Type` |
| 96 | +**Data Type:** string<br/> |
| 97 | +**Description:** The type of the indicator<br/> |
| 98 | +**Values:** |
| 99 | + |
| 100 | +* binary_string |
| 101 | +* compile_time |
| 102 | +* device_name |
| 103 | +* domain |
| 104 | +* email_address |
| 105 | +* email_subject |
| 106 | +* event_name |
| 107 | +* file_mapping |
| 108 | +* file_name |
| 109 | +* file_path |
| 110 | +* hash_ion |
| 111 | +* hash_md5 |
| 112 | +* hash_sha1 |
| 113 | +* hash_sha256 |
| 114 | +* ip_address |
| 115 | +* ip_address_block |
| 116 | +* mutex_name |
| 117 | +* password |
| 118 | +* persona_name |
| 119 | +* phone_number |
| 120 | +* port |
| 121 | +* registry |
| 122 | +* semaphore_name |
| 123 | +* service_name |
| 124 | +* url |
| 125 | +* user_agent |
| 126 | +* username |
| 127 | +* x509_serial |
| 128 | +* x509_subject |
| 129 | + |
| 130 | +--- |
| 131 | +#### `report` |
| 132 | +**Data Type:** string<br/> |
| 133 | +**Description:** The report ID that the indicator is associated with (e.g., CSIT-XXXX, CSIR-XXXX, etc). The report list is also represented under the labels list in the JSON data structure. |
| 134 | + |
| 135 | +--- |
| 136 | +#### `actor` |
| 137 | +**Data Type:** string<br/> |
| 138 | +**Description:** The named Actor that the indicator is associated with (e.g. panda, bear, spider, etc). The actor list is also represented under the labels list in the JSON data structure. |
| 139 | + |
| 140 | +--- |
| 141 | +#### `malicious_confidence` |
| 142 | + |
| 143 | +**Data Type:** string<br/> |
| 144 | +**Description:** Indicates a confidence level by which an indicator is considered to be malicious. For example, a malicious file hash may always have a value of high while domains and IP addresses will very likely change over time. The malicious confidence level is also represented under the labels list in the JSON data structure.<br/> |
| 145 | +Once an indicator has been marked with a malicious confidence level, it continues to have that confidence level value until updated by CrowdStrike. If you think there is a false positive, please file a Support ticket, and we'll work with CrowdStrike to investigate the IOC in question and update the threat details.<br/> |
| 146 | +**Values:** |
| 147 | + |
| 148 | +* high |
| 149 | +* medium |
| 150 | +* low |
| 151 | +* unverified—This indicator has not been verified by a CrowdStrike Intelligence analyst or an automated system. |
| 152 | +* null—Indicates that Sumo Logic has no information about the threat record. |
| 153 | + |
| 154 | +--- |
| 155 | +#### `published_date` |
| 156 | + |
| 157 | +**Data Type:** Timestamp in standard Unix time, UTC.<br/> |
| 158 | +**Description:** This is the date the indicator was first published. |
| 159 | + |
| 160 | +--- |
| 161 | +#### `last_updated` |
| 162 | +**Data Type**: Timestamp in standard Unix time, UTC.<br/> |
| 163 | +**Description**: This is the date the indicator was last updated in CrowdStrike internal database. |
| 164 | + |
| 165 | +--- |
| 166 | +#### `malware_family` |
| 167 | + |
| 168 | +**Data Type**: string<br/> |
| 169 | +**Description**: Indicates the malware family an indicator has been associated with. An indicator may be associated with more than one malware family. The malware family list is also represented under the labels list in the JSON data structure. |
| 170 | + |
| 171 | +--- |
| 172 | +#### `kill_chain` |
| 173 | + |
| 174 | +**Data Type:** string<br/> |
| 175 | +**Description:** The point in the kill chain at which an indicator is associated. The kill chain list is also represented under the labels list in the JSON data structure.<br/> |
| 176 | +**Values:** |
| 177 | +* reconnaissance—This indicator is associated with the research, identification, and selection of targets by a malicious actor. |
| 178 | +* weaponization—This indicator is associated with assisting a malicious actor create malicious content. |
| 179 | +* delivery—This indicator is associated with the delivery of an exploit or malicious payload. |
| 180 | +* exploitation—This indicator is associated with the exploitation of a target system or environment. |
| 181 | +* installation—This indicator is associated with the installation or infection of a target system with a remote access tool or other tool allowing for persistence in the target environment. |
| 182 | +* c2 (Command and Control)—This indicator is associated with malicious actor command and control. |
| 183 | +* actionOnObjectives—This indicator is associated with a malicious actor's desired effects and goals. |
| 184 | + |
| 185 | +--- |
| 186 | +#### `labels` |
| 187 | + |
| 188 | +**Data Type:** string<br/> |
| 189 | +**Description:** The Intel Indicators API provides additional context around an indicator via the labels list. Some of these labels, such as `malicious_confidence` are accessible via the top-level data structure. All labels, including their associated timestamps, will be accessible via the labels list. The url string will look like: `https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=DomainType/DynamicDNS`. |
| 190 | + |
| 191 | +| IOC Type | Values | |
| 192 | +|:-------------------|:----------------------------------------| |
| 193 | +| **DomainType** | - DomainType/ActorControlled: It is believed the malicious actor is still in control of this domain.<br/>- DomainType/DGA: Domain is the result of malware utilizing a domain generation algorithm.<br/>- DomainType/DynamicDNS: Domain is owned or used by a dynamic DNS service.<br/>- DomainType/DynamicDNS/Afraid: Domain is owned or used by the Afraid.org dynamic DNS service.<br/>- DomainType/DynamicDNS/DYN: Domain is owned or used by the DYN dynamic DNS service.<br/>- DomainType/DynamicDNS/Hostinger: Domain is owned or used by the Hostinger dynamic DNS service.<br/>- DomainType/DynamicDNS/noIP: Domain is owned or used by the NoIP dynamic DNS service.<br/>- DomainType/DynamicDNS/Oray: Domain is owned or used by the Oray dynamic DNS service.<br/>- DomainType/KnownGood: Domain itself (or the domain portion of a URL) is known to be legitimate, despite having been associated with malware or malicious activity.<br/>- DomainType/LegitimateCompromised: Domain does not typically pose a threat but has been compromised by a malicious actor and may be serving malicious content.<br/>- DomainType/PhishingDomain: Domain has been observed to be part of a phishing campaign.<br/>- DomainType/Sinkholed: Domain is being sinkholed, likely by a security research team. This indicates that, while traffic to the domain likely has a malicious source, the IP address to which it is resolving is controlled by a legitimate third party.<br/>- DomainType/StrategicWebCompromise: Indicates targeted activity, often compromising a legitimate domain used as a watering hole by targeted organizations.<br/>- DomainType/Unregistered: Domain is not currently registered with any registrars. | |
| 194 | +| **EmailAddressType** | - EmailAddressType/DomainRegistrant: Email address has been supplied in the registration information for known malicious domains.<br/>- EmailAddressType/SpearphishSender: Email address has been used to send spearphishing emails. | |
| 195 | +| | **IntelNews**: The Intel Flash Report ID an indicator is associated with (e.g., IntelNews/NEWS-060520151900). | |
| 196 | +| **IPAddressType** | - IPAddressType/HtranDestinationNode: An IP address with this label is being used as a destination address with the HTran Proxy Tool.<br/>- IPAddressType/HtranProxy: An IP address with this label is being used as a relay or proxy node with the HTran Proxy Tool.<br/>- IPAddressType/LegitimateCompromised: It is suspected an IP address with this label is compromised by malicious actors.<br/>- IPAddressType/Parking: IP address is likely being used as a parking IP address.<br/>- IPAddressType/PopularSite: IP address could be utilized for a variety of purposes and may appear more frequently than other IPs.<br/>- IPAddressType/SharedWebHost: IP address may be hosting more than one website.<br/>- IPAddressType/Sinkhole: IP address is likely a sinkhole being operated by a security researcher or vendor.<br/>- IPAddressType/TorProxy: IP address is acting as a TOR (The Onion Router) proxy. | |
| 197 | +| **Status** | - Status/ConfirmedActive: Indicator is likely to be currently supporting malicious activity.<br/>- Status/ConfirmedInactive: Indicator is no longer used for malicious purposes. | |
| 198 | +| **Target** | The activity associated with this indicator is known to target the indicated vertical sector:<br/>- Aerospace<br/>- Agricultural<br/>- Chemical<br/>- Defense<br/>- Dissident<br/>- Energy<br/>- Extractive<br/>- Financial<br/>- Government<br/>- Healthcare<br/>- Insurance<br/>- InternationalOrganizations<br/>- Legal<br/>- Manufacturing<br/>- Media<br/>- NGO<br/>- Pharmaceutical<br/>- Research<br/>- Retail<br/>- Shipping<br/>- Technology<br/>- Telecom<br/>- Transportation<br/>- Universities | |
| 199 | +| **ThreatType** | - ThreatType/ClickFraud: Indicator is used by actors engaging in click or ad fraud.<br/>- ThreatType/Commodity: Indicator is used with commodity-type malware such as Zeus or Pony Downloader.<br/>- ThreatType/PointOfSale: Indicator is associated with activity targeting point-of-sale machines such as AlinaPoS or BlackPoS.<br/>- ThreatType/Ransomware: Indicator is associated with ransomware malware such as Cryptolocker or Cryptowall.<br/>- ThreatType/Suspicious: Indicator is not currently associated with a known threat type but should be considered suspicious.<br/>- ThreatType/Targeted: Indicator is associated with a known actor suspected to be associated with a nation-state such as DEEP PANDA or ENERGETIC BEAR.<br/>- ThreatType/TargetedCrimeware: Indicator is associated with a known actor suspected to be engaging in criminal activity. | |
| 200 | +| **Vulnerability** | The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g., [CVE-2012-0158](https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158)). | |
| 201 | + |
| 202 | +## FAQs |
| 203 | + |
| 204 | +### How often do you refresh the threat feed from CrowdStrike? |
| 205 | + |
| 206 | +The database is updated once per day. We have implemented a multi-layer cache for performance enhancements rather than returning to the master database on each query. |
| 207 | + |
| 208 | +### Can I export all of the threats from Sumo Logic? |
| 209 | + |
| 210 | +No, we do not allow an export of the threat Intel feeds as that is confidential to CrowdStrike. However, we will match lookups from your logs against the entire threat database. You will ONLY see data returned when you have a match against the database to a specific threat from your log data (for example, IP, domain, email, etc.) via the lookup operator. |
| 211 | + |
| 212 | +### Is threat lookup real-time using Continuous Queries (CQs)? |
| 213 | + |
| 214 | +Yes. You can scan for malicious Indicators of Compromise (IOCs) in real time [using the lookup search operator](/docs/security/threat-intelligence/find-threats/#use-the-lookup-search-operator). |
| 215 | + |
| 216 | +### Can I historically search my logs for threats? |
| 217 | + |
| 218 | +Yes, you can search any log data that is still retained and searchable using the Sumo Logic platform. However, we suggest that you break up historical searches into smaller and more manageable chunks based on time range and/or source category for performance reasons. |
| 219 | + |
| 220 | +### If I do not see any results in any dashboard, is that a bad thing? |
| 221 | + |
| 222 | +No. No results in your dashboards can mean that nothing has been identified by CrowdStrike as a threat, verified or unverified. |
| 223 | + |
| 224 | +It could be a case-sensitivity issue. In Sumo Logic, the equal sign (`=`) and the not equal to sign (`!=`) conditions are case-sensitive. When you use them with Sumo Logic operators you may need to convert the string to which the condition is applied to upper or lower case. For more information, see [Using toLowerCase or toUpperCase with an equating condition](/docs/search/search-query-language/search-operators/tolowercase-touppercase/#using-tolowercaseor-touppercase-with-an-equating-condition). |
| 225 | + |
| 226 | +### I found an IOC in VirusTotal (or any other third-party threat feed), but why can’t I find that IOC in CrowdStrike using the Sumo Logic lookup? |
| 227 | + |
| 228 | +CrowdStrike focuses on quality versus quantity when it comes to threat assessment. They have a dedicated intel team that does that work. A threat from a third-party feed may not be present in CrowdStrike threats because it has been rejected by the CrowdStrike intel assessment team. |
| 229 | + |
| 230 | +### I found threats in my network, now what do I do? How do I get more context about threats? |
| 231 | + |
| 232 | +The next step would be to look at the raw JSON field from the query. Fields such as `ip_address_types`, `labels`, `relations`, and `malware_families` in the JSON object provide more contextual information about threats. |
| 233 | + |
| 234 | +``` |
| 235 | +{ |
| 236 | +"indicator": "104.198.196.36", |
| 237 | + "type": "ip_address", |
| 238 | + "last_updated": 1476946769, |
| 239 | + "published_date": 1476946767, |
| 240 | + "malicious_confidence": "unverified", |
| 241 | + "reports": [], |
| 242 | + "actors": [], |
| 243 | + "malware_families": [ ], |
| 244 | + "kill_chains": [], |
| 245 | + "domain_types": [], |
| 246 | + "ip_address_types": [ |
| 247 | + "SSHScanner" |
| 248 | + ], |
| 249 | + "relations": [], |
| 250 | + "labels": [ |
| 251 | + { |
| 252 | + "name": "ThreatType/Suspicious", |
| 253 | + "created_on": 1476946768, |
| 254 | + "last_valid_on": 1476946768 |
| 255 | + }, |
| 256 | + { |
| 257 | + "name": "IPAddressType/SSHScanner", |
| 258 | + "created_on": 1476946768, |
| 259 | + "last_valid_on": 1476946768 |
| 260 | + } |
| 261 | + ] |
| 262 | +} |
| 263 | +``` |
| 264 | + |
| 265 | +With the malware family and other information, you can search the internet for more as there is often data readily available on known threats. In addition, if you would like more robust information, you can contact CrowdStrike directly and purchase individual reports or discuss upgrading to CrowdStrike Premium which includes more detailed reports. |
0 commit comments