Views:

Create a demo report to test the sweeping capabilities of Threat Intelligence.

Use the following steps to create a demo report for Threat Intelligence sweeping and generate an alert in the Workbench app.

Procedure

  1. In the Trend Vision One console, go to XDR Threat InvestigationSearch.
  2. Search for VPC Flow Log data within the last 30 days.
    Use the Network Activity Data search method and filter by productCode: vpc.
  3. Select an example activity and copy one of the following fields:
    • src: source IP address
    • dst: destination IP address
    • pktSrcAddr: packet source address
    • pktDstAddr: packet destination address
  4. Use the report template to create a custom demo template.
    In the demo template, replace the values for the following attributes under "objects":
    • "name": replace "${name}" with a recognizable name.
      For example, "name": "VPC Flow Log Test"
    • "id": replace "${report_id}" with a report name containing a GUID.
      For example, "id": "report--a763cbf4-3562-456e-a319-ef94e33ead72"
    • "pattern": replace "${pattern}" with the search value.
      This is the IPv4 address value you copied from the search results in the previous step with the format "[ipv4-addr:value = 'x.x.x.x']". For example, if the destination IP address is 8.8.8.8, specify the attribute:value set as "pattern": "[ipv4-addr:value = '8.8.8.8']"
    Use following code to create the demo template. The demo template is a STIX file written in JSON format.
    {
    "type": "bundle",
    "id": "bundle--f084b7bb-cec2-4547-b9af-2076359b8647",
    "objects": [
        {
            "created_by_ref": "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5",
            "name": "${name}",
            "published": "2022-09-09T07:21:23.921Z",
            "modified": "2022-09-09T07:21:23.921Z",
            "report_types": [
                "indicator"
            ],
            "object_refs": [
                "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5",
                "indicator--491094c9-3245-48b4-9f2e-f53aae86c767"
            ],
            "type": "report",
            "id": "${report_id}",
            "created": "2022-09-09T07:21:23.921Z",
            "spec_version": "2.1"
        },
        {
            "type": "identity",
            "id": "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5",
            "created": "2022-09-09T07:21:23.921Z",
            "modified": "2022-09-09T07:21:23.921Z",
            "spec_version": "2.1"
        },
        {
            "valid_from": "2022-09-09 07:21:10",
            "created_by_ref": "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5",
            "created": "2022-09-09T07:21:23.921Z",
            "pattern": "${pattern}",
            "pattern_type": "stix",
            "labels": [
                "malicious-activity"
            ],
            "modified": "2022-09-09T07:21:23.921Z",
            "type": "indicator",
            "id": "indicator--491094c9-3245-48b4-9f2e-f53aae86c767",
            "spec_version": "2.1",
            "description": ""
        }
    ]
}
    For best results, save the file as {report_id}.json including the GUID in the filename.
  5. Go to Threat IntelligenceIntelligence ReportsCustom.
  6. Click Add.
  7. For Method, select STIX file.
  8. Click Select File... and locate the demo template file you created.
  9. Click Submit.
  10. Locate the custom report you created and click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png).
  11. Select Start Sweeping to run the report.
    If configured correctly, a matched sweep appears with a linked Workbench alert. Click the link to view the alert in the Workbench app.