6. Understanding Threat Intelligence

Threat Intelligence feeds are used by HAWK’s Analytics to determine if an external resource is an known bad actor.

6.1. Working with Threat Intelligence

There are a variety of activities that can be accomplished and worked with on the Threat Intelligence Feeds, such as creating new Feeds, exporting, importing, moving, and deleting the feeds.

6.1.1. Viewing the Threat Intelligence Dashboard

In order to view the Dashboard for the Threat Intelligence, follow these steps:

1. To access the Scores, Click on Analytics ‣ Threat Intelligence.

The Threat Intelligence Feed section shows the following information:

• Name - Name for Threat Intelligence feed.

• Enabled - If the feed is enabled or not.

• Group - Group name the feed belongs to.

• Updates - Next planned time to update the feed.

• Last Updated - Last time feed was updated.

• Date Added - Date feed was added to the system.

6.1.2. Change the Group on the Threat Intelligence Dashboard

When an analyst is working with the Scores for different Groups, they can select a different Group by following these steps:

1. To access the Threat Intelligence Dashboard, Click on Analytics ‣ Threat Intelligence.

2. On the top right side of the Threat Intelligence Management window, Click on the Group link. (In this example, the Group is (Root).)

3. The “Select Group” window opens.

4. Click on the desired group.

5. Click on the OK button and the selected Group is changed on the Threat Intelligence Management window. The information displayed reflects the data in the selected Group.

6.2. Managing Threat Intelligence

There are a variety of activities that can be performed on Threat Intelligence, including defining new Feeds, exporting and importing data into and out of the Dashboard, and deleting the Feeds. This section provides the steps to perform each of these functions.

6.2.1. Creating New Threat Intelligence Feeds

If new Feeds are needed, perform the following steps:

1. To access the Threat Intelligence Dashboard, Click on Analytics ‣ Threat Intelligence.

2. Click on the Add button.

3. The “Threat Intel Entry” window opens as shown:

4. Enter the name of the new Feed being created in the Name field.

5. To activate the Feed to be used, check the box next to Enabled

6. Choose an Update Schedule.

7. Choose the format for the Feed, Either CSV or Address per line.

8. In the Values field enter the URL the feed is located at.

9. Select the Group for the new Feed.

10. When all the values are entered, click on the Ok button to add the new Feed. To cancel adding the new Feed, Click on the Cancel button.

Note

It may take up to 30 minutes for the initial feed to be downloaded and processed.

6.2.2. Updating New Threat Intelligence Feeds

The Feeds can be updated at any time by following these steps:

1. To access the Threat Intelligence Dashboard, Click on Analytics ‣ Threat Intelligence.

2. Double click on any Threat Intelligence Feed.

3. The “Threat Intel Entry” window opens as shown:

4. Make any necessary changes to Enabled, Update Schedule, Format, Values, or Group.

10. After updating the values, click on the Ok button to update the Feed. To cancel adding the new Feed, Click on the Cancel button.

6.2.3. Moving a Feeds to Another Group

The Threat Intelligence Feeds can be moved to another Group at any time by following these steps:

1. To access the Scores Dashboard, Click on Analytics ‣ Threat Intelligence.

2. Click on the Feed or Feeds to move.

3. Click on Action ‣ Move.

4. The “Select Group” window will open.

5. Select the group you want to move your Feed(s) to.

6. Click OK button to save your changes.

6.2.4. Exporting Feeds

The Feeds can be exported at any time by following these steps:

1. To access the Scores Dashboard, Click on Analytics ‣ Threat Intelligence.

2. Select the score or scores you want to export.

3. Click on Action ‣ Export.

4. The notification dialog opens to indicate that the selected Score(s) is being exported.

6.2.5. Importing Feeds

The Threat Intelligence Feeds can be imported at any time by following these steps.

1. To access the Scores Dashboard, Click on Analytics ‣ Threat Intelligence.

2. Navigate to the desired group to which you want the feeds to be imported into.

3. Click on Action ‣ Import.

4. The “Choose File to Upload” window opens.

5. Click on the desired file to import.

6. Click on the “Open” button.

7. The selected file is imported into the Threat Intelligence Manager.

6.2.6. Deleting a Feeds

If a Scores is no longer needed, it can be deleted at any time by following these steps:

1. To access the Scores Dashboard, Click on Analytics ‣ Scores.

2. Select the feed or feeds you want to delete.

3. Click on Action ‣ Delete.

4. The delete confirmation dialog opens to confirm that the correct Feed or Feeds to be deleted are selected. Click on ‘Yes’ to confirm. To cancel the delete, click on the ‘No’ button.