Malware detection is an essential capability for modern businesses that helps them identify threats and malicious activity posing a risk to their environments, investigate them, and respond quickly.
Threat intelligence feeds are trusted sources of information about potential cyber threats, such as malicious activity. With that said, incorporating threat feeds into your data to detect suspicious activity can require complex configuration, often leading to the sub-utilization of this important source of information.
The Coralogix Unified Threat Intelligence relies on our Streama© technology to provide you with built-in seamless integration with some of the world’s leading threat intelligence feeds with hundreds of thousands threat entities curated by our security experts.
Coralogix does not require any API integration, special syntax, or format change. It automatically enriches your data with malicious indicators in real-time as they are streamed, allowing you to query, visualize, and alert on potential threats.
Enriched information is then stored to your own remote storage. This allows you to query directly from Coralogix with infinite retention and even research the data with external tools.
Take a look at these use-cases to get a feel for the many ways that our Unified Threat Intelligence can serve you.
Use-Case 1: Detection of Phishing Attempts
Phishing is a social engineering attack practice, causing people to share credentials, sensitive information or install malware by impersonating a legitimate website. The Unified Threat Intelligence helps you detect any network activity from your organization’s environment to a reported phishing website, allowing you to identify which users were involved and investigate the impact.
Use-Case 2: Detection of Browsing of Malicious Websites
Phishing is the number one attack vector to infiltrate your organization by obtaining user credentials. The Unified Threat Intelligence helps you detect any user visiting a phishing site (through domain/URL) or a phishing site that is hosted on your infrastructure.
Use-Case 3: Detection of Potential Data Exfiltration
Malware installed on an internal machine in your environment may gain access to your sensitive data and exfiltrate it by uploading this data to an attacker’s website. The Unified Threat Intelligence helps you to immediately detect network activities to such websites reported as malicious, block them, and assess the data leakage that may have occurred.
Use-Case 4: Bot Detection by Command and Control Communication Monitoring
Hackers use bots to perform large scale attacks. These include denial of service (DDoS) attacks that can flood a website with connection requests, causing it to stop serving legitimate customers, distribute spam emails, make fraudulent purchases, and more. C&C communication is used by hackers to send the operation commands to the bots. The Unified Threat Intelligence allows you to detect this command and control communication by inspecting your network activity logs and discovering communication to/from command and control servers. Using this feature, you can easily see which machines perform this network activity and are infected with bots.
Use-Case 5: Detection of Brute-Force Scanning
Hackers use brute-force scanning to scan your network environment and find exposed resources which allow them to penetrate your environment and attack it. The Unified Threat Intelligence allows you to detect incoming network traffic coming from IPs and servers reported as malicious. With this improved security posture, you can block those requests, assess any risk and its impact, and immediately decide upon mitigation steps.
Threat intelligence feeds are trusted sources of information about potential cyber threats, curated by researchers and security analysts. For example, some feeds contain lists of servers that are detected to be involved in malicious activities. Organizations can use this information to detect any network activity between their environment and these potentially malicious servers, which may result in malware infection and risk to their environment.
Coralogix security experts curated this leading threat intel to work with:
The Unified Threat Intelligence searches the IP, URL, and domain values in selected log keys in your network activity logs and checks if they are reported as malicious by these threat intelligence feeds. Coralogix reads these feeds once a day to provide you with immediate, up-to-date detection of newly reported threats.
If an IP, URL, or domain value in your log is reported as malicious, a new field named
<key_name>_suspected is added to the relevant log, with
key_name serving as the original log key, as shown in the example below.
<key_name>_suspected field contains the following fields:
malicious_valuefield with the actual value reported to be malicious.
eporting_feedsfield with a list of feeds that reported this value as malicious.
This enrichment is completed automatically while your logs are being streamed into Coralogix. All you need to do is to define which log keys contain IPs, URLs, or domains that should be looked up in the threat intelligence feeds and enriched upon a match.
To get the best value, it is recommended to create alerts based on these enriched logs, to be notified as soon as possible upon detection of potential malicious network traffic and respond immediately.
STEP 1. In your Coralogix toolbar, navigate to Data Flow > Data Enrichment.
STEP 2. Select the JSON keys containing IPs, URLs or domains to be looked up and enriched with malicious activity indicators.
STEP 3. Click ADD KEY.
Coralogix will search the IP, URL and domain values in the selected log keys to check if they are reported as malicious using threat intelligence feeds.
After configuring the log keys to be looked up and enriched by the Unified Threat Intelligence, it is recommended to use the following methods to gain optimal visibility into malicious network traffic in your environment, be notified in real-time, and respond immediately.
STEP 1. In the Explore screen, run a query to retrieve all enriched logs with
If you want to rely on a specific feed that you trust, search for the enriched field with the name of the specific feed from the list above.
STEP 2. Look at the log fields to learn who the user was, which machine was involved and might be infected, and more. Some of the feeds include additional fields with more details about the threat, such as the time when it was first detected as malicious or a link to the feed’s website allowing you to read more details about the particular threat.
This will allow you to investigate the issue, examine the impact on your organization, assess the risk and plan the remediation steps if required.
To be notified immediately once network traffic to potential malicious server is detected, it is recommended to create an alert to be triggered once a log with
<key_name>_suspected field is received.
Some of the extensions, such as “Snowbit STA”, automatically configure their product log keys to be enriched by the Unified Threat Intelligence, as well as add predefined alerts to notify you immediately upon detection of malicious activity.
Build custom dashboards to get an overview of all malicious activities done in your environment, including involved users, infected machines, and trends over time by querying logs that contain the enriched
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].