You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm curious on the community's thoughts and approach to this idea we've been kicking around.
We would like to tag attributes based on correlations with other attributes from different sources. Then use these tags to determine what is done with the attributes (export to an external tool, etc.).
Example:
Attribute "A" is associated with Event "A", which is from Threat Feed "A". If this attribute(Attribute "A") is also found in an event we'll call Event "B" from Threat Feed "B", we'd like to assign a tag to attribute "A" describing that it's been confirmed by multiple sources.
What would be the best way to go about this? Have a script that runs daily and checks attributes modified in the last day for correlations, and writing some logic around tagging attributes that meet the above criteria? Or is there a different mechanism people would recommend for doing this.
The problem we're trying to address is that we're getting attributes from feeds that we don't feel confident to act on alone, but if the attribute was confirmed by multiple sources, we'd have a higher confidence level.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm curious on the community's thoughts and approach to this idea we've been kicking around.
We would like to tag attributes based on correlations with other attributes from different sources. Then use these tags to determine what is done with the attributes (export to an external tool, etc.).
Example:
Attribute "A" is associated with Event "A", which is from Threat Feed "A". If this attribute(Attribute "A") is also found in an event we'll call Event "B" from Threat Feed "B", we'd like to assign a tag to attribute "A" describing that it's been confirmed by multiple sources.
What would be the best way to go about this? Have a script that runs daily and checks attributes modified in the last day for correlations, and writing some logic around tagging attributes that meet the above criteria? Or is there a different mechanism people would recommend for doing this.
The problem we're trying to address is that we're getting attributes from feeds that we don't feel confident to act on alone, but if the attribute was confirmed by multiple sources, we'd have a higher confidence level.
Beta Was this translation helpful? Give feedback.
All reactions