All Collections
User Guide
Threat Intelligence
Threat Intelligence
Ahmad avatar
Written by Ahmad
Updated over a week ago

Threat intelligence is the information used by organizations to understand global cyber threats that may target them. This information is used to understand the attacks happening around the world.

SIRP's Threat Intelligence module helps security teams mitigate risks, bolster incident response, and enhance your overall security ecosystem. This comprehensive threat intelligence module enables security analysts to ingest and explore threat advisories and verify applicability to the organization.

Pending

This is the list of all the ingested threat advisories (from various sources) that are to be reviewed by an analyst.

To access advisories currently in a pending state, go to the Main Menu, select Threat Intelligence, and click on Pending.

Main Menu > Threat intelligence > Pending

You can also view the details, or Edit/Delete any record by clicking on the respective icons provided under the Actions column.

If you wish to add an advisory, click on the Create Threat Intelligence button at the top left corner.

Fill in the following information on the next page:

  • Title: Title of advisory

  • Receive Date: The date when the advisory was received

  • Release Date: Actual date when advisory was released i.e. when the status was changed from Pending to Release

  • Severity:

  1. Low

  2. Medium

  3. High

  • Category:

  1. Data Breach

  2. Information Update

  3. Phishing

  4. Social Engineering

  5. Vulnerability, etc.

  • Asset/Type:

  1. Asset: Choose this option if you tag an Asset in this advisory.

  2. Asset Type: Choose this option if you are tagging an Asset Type (comprising multiple assets) in this advisory

  • Asset Type: Select the asset type to which a particular advisory pertains (the list of available types can be changed from the Admin section):

  • Department: Select the relevant department (the list of departments can be changed from the Admin section).

  • Type: The type of advisory that’s being created:

  1. Advisory

  2. Alert

  3. Informative Update

  4. Update

  • Status

  1. Pending

  2. Release

  • Analysis Summary: Enter important information about the threat

  • Description: Provide a brief description of the advisory

  • Indicator of compromise: Add artifacts such as:

  1. Hashes

  2. IP Addresses

  3. Email address

  4. Domains

  5. URLs, etc.

  • Affected Vendors: In case of a patch-related advisory, select the vendor of the affected product

  • Affected Products: Select the exact product for which the advisory is being released

  • Impact: Describe the potential impact of the threat

  • Remediation: Provide suggested remediation. For example, apply patches, upgrade software versions, etc.

Release

This list contains the threat advisories that have been released or circulated within an organization. To access Released advisories, open the Main Menu, select Threat Intelligence, and click on Release.

Main Menu > Threat Intelligence > Release

You can also download a list of all the released advisories by clicking on the icon at the top of the page.

Bulk Actions

The Threat Intel module offers users the capability to execute bulk actions on records, including updating and deleting multiple entries simultaneously. This functionality significantly streamlines the management of threat intelligence data.

Using Bulk Actions

  • Record Selection:

    • To execute bulk actions, users must first select the respective records. This is done by clicking on the checkbox next to each record, allowing for the selection of multiple entries.

  • Bulk Actions Button:

    • Located at the top right of the Threat Intel module screen is the "Bulk Actions" button. Once the desired records are selected, click on this button to proceed.

  • Dropdown Options:

    • Upon clicking the "Bulk Actions" button, a dropdown menu appears with two options:

      • Update: This option allows users to update specific attributes of the selected records.

      • Delete: This option initiates the deletion process for the chosen records.

Update Option

  • Bulk Update Widget:

    • If the "Update" option is selected, a new popup form called "Bulk Update" appears.

    • This form provides fields for updating the severity, category, type, and status of the selected records.

Delete Option

  • Confirmation Prompt:

    • When the "Delete" option is chosen, a confirmation toaster notification appears

    • The user needs to click "OK" on the popup to proceed with the deletion of the selected records.

Importing Threat Intelligence Feeds

  • The "Import" functionality is accessible within the Threat Intel module, specifically under the "Pending" tab. The Import button is located at the top right of the Threat Intel module screen.

  • To start importing, click on the "Import" button to start the import upon which a slide-in menu will appear.

  • Click on the "Upload Document" button to start importing threat feeds. The uploaded document should contain information about recent attacks and vulnerabilities.

Reports

Click on the Reports button displayed at the top of the page to generate a report of the released advisories.

You will be directed to a page where you can generate reports by choosing a date range and clicking on the Generate button.

Cases

You can click on the Cases button displayed at the top of the page to view Advisors-related cases.

The All tab shows all cases aggregated together, while Incident, Threat Intell Case, VM Cases show cases separated by the container.

Did this answer your question?