The key value of an XDR platform is the ability to see events that seem benign to a single tool, but become apparent when looking at the intelligence provided by multiple data sources. Custom leads should be able to include boolean AND/OR conditions referencing multiple data sources within a single lead. (Screen mock up attached).
Give the user the ability to enter custom lists of bad IP addresses for ThreatDB, like the ones included in bulletins like US CERT CISA.
Have a way for the user to paste a list of IP addresses in a search window and get a search query automatically generated. The query should be like this:
[(clientIP IN (‘112.175.92.57’, ‘113.114.117.122’, ‘128.200.115.228’, ‘137.139.135.151’, ‘181.39.135.126’, ‘186.169.2.237’, ‘197.211.212.59’, ‘21.252.107.198’, ‘26.165.218.44’, ‘47.206.4.145’, ‘70.224.36.194’, ‘81.94.192.10’, ‘81.94.192.147’, ‘84.49.242.125’, ‘97.90.44.200’) OR serverIP IN (‘112.175.92.57’, ‘113.114.117.122’, ‘128.200.115.228’, ‘137.139.135.151’, ‘181.39.135.126’, ‘186.169.2.237’, ‘197.211.212.59’, ‘21.252.107.198’, ‘26.165.218.44’, ‘47.206.4.145’, ‘70.224.36.194’, ‘81.94.192.10’, ‘81.94.192.147’, ‘84.49.242.125’, ‘97.90.44.200’) OR senderHost IN (‘112.175.92.57’, ‘113.114.117.122’, ‘128.200.115.228’, ‘137.139.135.151’, ‘181.39.135.126’, ‘186.169.2.237’, ‘197.211.212.59’, ‘21.252.107.198’, ‘26.165.218.44’, ‘47.206.4.145’, ‘70.224.36.194’, ‘81.94.192.10’, ‘81.94.192.147’, ‘84.49.242.125’, ‘97.90.44.200’) ) AND (created_at >= CURRENT_TIMESTAMP() – INTERVAL 30 DAY)]