Threat Intelligence Indicators in Cloud SIEM
Threat intelligence indicators can be used in Cloud SIEM to find possible threat activity.
hasThreatMatch Cloud SIEM rules language function​
Use the hasThreatMatch function in Cloud SIEM rules to analyze incoming records for matches to threat intelligence indicators.
For example, use the function to match all records with a srcDevice_ip attribute correlated to a threat indicator with a high confidence level (greater than 50):
hasThreatMatch([srcDevice_ip], confidence > 50)
For more information, see hasThreatMatch.
View threat indicators in the Cloud SIEM UI​
When an entity is processed by a rule using the hasThreatMatch function and is a match, the entity is associated with a known indicator that has a threat type attribute. The entity can be associated with either threatType (in normalized JSON format and CSV format), or indicator_types (in STIX format as defined by indicator_types in STIX 2.1).
When that occurs, then anywhere the entity is displayed in the Cloud SIEM UI, a threat indicator icon or label will be displayed showing the entity's "reputation" corresponding to that threat type:
| Threat type value | Label in the Cloud SIEM UI |
|---|---|
anomalous-activity | Suspicious |
anonymization | Suspicious |
benign | Not Flagged |
compromised | Malicious |
malicious-activity | Malicious |
attribution | (None) |
unknown (or not set) | Suspicious |
Note that if the mapping produces a threat indicator level of Malicious, but the confidence is less than 60, the entity's reputation will be set to Suspicious instead. If there are multiple reputation values for a given entity (potentially from threat intel and enrichment), Cloud SIEM will show the most severe indicator.
Since different sources can report different reputations, each source has a reputation icon on its row in the Cloud SIEM UI. In the following example, the indicator from the Palo Alto Networks Unit 42 source returned a reputation of Malicious, hence the red icon. The link to the right would open a log search window showing the matching indicators in detail.
