Maltiverse Threat Intelligence Platform offers a powerful and flexible rule-based scoring algorithm for enterprise customers. This feature allows users to create custom rules that apply specific actions to Indicators of Compromise (IoCs) based on defined queries. These rules can help in refining the threat intelligence data and ensuring more accurate and relevant results. Below is a step-by-step guide on how to create a rule in Maltiverse.
Step 1: Access IoC Search #
To start creating a rule, navigate to the ‘IoC Search’ section in the left menu of your Maltiverse Threat Intelligence Platform interface. This is where you will begin the process of defining the criteria for your rule.
Step 2: Writing a Query #
In the IoC Search section, you can write a query to select a specific set of indicators. The query should be formulated to match the specific IoCs you wish to target with your rule. For example, to target Cloudflare belonging IPs classified as malicious, your query might look like:
type:ip AND classification:malicious AND asn_name:"AS13335 Cloudflare“
Step 3: Review Targeted IoCs #
Once you have written your query, review the IoCs that it targets. This step is crucial to ensure that your rule will apply to the intended indicators and not affect others inadvertently.
Step 4: Initiate Rule Creation #
After confirming the IoCs targeted by your query, click on the plus button (+) in the search bar. From the dropdown menu, select ‘Scoring Rule’. This action will direct you to a form where you can define the details of your new rule.
Step 5: Fill in the Rule Details #
In the rule creation form, you will need to fill out several fields to define your rule:
- Rule Name: Give your rule a unique and descriptive name.
- Description: Provide a clear and concise description of what the rule does.
- Periodic Execution (optional): Select how often you want this rule to run (none, hourly, daily, weekly, monthly). This setting is optional.
- Enable/Disable Selector: Choose whether the rule should be active immediately upon creation.
- Stack of Actions: Define the actions that should be applied to the IoCs. For example, to change the classification of matched IoCs to ‘whitelist’ and set a flag
is_cdnto true, your actions might be:- Downgrade classification from malicious to suspicious
Set is_cdn flag to true
Step 6: Save the Rule #
After filling in all the necessary details, save your rule. In case you have enabled it, the platform will now apply the actions defined in the rule to the IoCs matching your query based on the schedule you set (if any).
Conclusion #
Creating rules in Maltiverse Threat Intelligence Platform allows for a high degree of customization in handling IoCs. By carefully defining queries and associated actions, enterprise users can significantly enhance the effectiveness and relevance of their threat intelligence data. Remember to regularly review and update your rules to align with the evolving cyber threat landscape.
