Add IOC Explorer doc; small edits #33413
+136
−49
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| --- | ||
| title: IOC Explorer | ||
| further_reading: | ||
| - link: /security/threat_intelligence/ | ||
| tag: documentation | ||
| text: Threat Intelligence | ||
| - link: /security/cloud_siem/ingest_and_enrich/threat_intelligence | ||
| tag: documentation | ||
| text: Bring Your Own Threat Intelligence | ||
| --- | ||
|
|
||
| {{< callout url="" btn_hidden="true" header="false" >}} | ||
| The IOC Explorer is in Preview. | ||
| {{< /callout >}} | ||
|
|
||
| ## Overview | ||
|
|
||
| Indicators of Compromise (IOC) are evidence that your systems have experienced a security breach. With the [IOC Explorer][1], you can view more details about compromises, and see related signals and logs. | ||
|
|
||
| For more information on the intelligence sources the IOC Explorer displays, see [Threat intelligence sources][2]. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| To view data in the IOC Explorer, all of the following must be true: | ||
| - Your organization must subscribe to Cloud SIEM. | ||
| - The indicator of compromise must be in a threat feed that was available to Datadog at the time of the log acquisition. | ||
| - A log that has a matching entity in threat intelligence must be acquired. | ||
| - The log must be in the time frame shown on the Explorer. The time frame is fixed to the last 30 days. | ||
|
||
|
|
||
| ## Use the IOC Explorer | ||
|
Contributor
There was a problem hiding this comment. I do think "Using the IOC Explorer" reads a bit more naturally. Non-critical suggestion. I know we're pretty scattered consistency-wise across the docs for using the participle form or not in these types of headings. |
||
|
|
||
| To access the IOC Explorer in Datadog, go to **Security** > **Cloud SIEM** > **Investigate** > [**IOC Explorer**][1]. | ||
|
|
||
| ### Query and filter indicators of compromise | ||
|
|
||
| You can write custom queries or apply filters to determine which indicators of compromise you can see in the explorer. You can do so by: | ||
janine-c marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - Severity score | ||
| - [Entity type][3] | ||
| - [Threat intelligence source][2] | ||
| - [Threat intelligence category][4] | ||
|
|
||
| Additionally, you can click a column in the Explorer to sort by that column's values. | ||
janine-c marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ### Get more context on an indicator of compromise | ||
|
|
||
| You can click an indicator of compromise to open a side panel that contains additional information about it: | ||
janine-c marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - When the indicator was first and last seen in a threat intel feed | ||
|
||
| <div class="alert alert-info" style="margin-bottom: 0">This is distinct from the first or last time the indicator was seen in a log.</div> | ||
| - Any categories and ratings assigned to it, and the sources associated with those ratings | ||
| - A breakdown of the indicator's severity score | ||
| - Signal matches, which you can view in Signals Explorer | ||
| - Related logs, which you can view in Log Explorer | ||
|
|
||
| ## Understand severity scoring | ||
|
|
||
| It's important to have proper context behind how Datadog calculated a severity score for an indicator, so you can properly prioritize its investigation. For example, [IP addresses][5] can be volatile and require frequent reassessments as a result. | ||
janine-c marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| In the IOC Explorer side panel, you can see the factors Datadog takes into account. It starts with a base score based on its classification, then raises or lowers the score based on additional factors: | ||
janine-c marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - **Classification**: The base score associated with the indicator's category and intent | ||
| - **Corroboration**: Whether the indicator appears on multiple threat intelligent feeds | ||
| - **Persistence**: How long threat intelligence feeds have been reporting on the indicator | ||
| - **Hosting Type**: Used for IP and domain entity types; evaluates whether the hosting infrastructure is commonly used for attacks | ||
| - **Signal Activity**: Whether Datadog has seen the evaluator in your environment | ||
|
|
||
| ## Further reading | ||
|
|
||
| {{< partial name="whats-next/whats-next.html" >}} | ||
|
|
||
| [1]: https://app.datadoghq.com/security/siem/ioc-explorer | ||
| [2]: /security/threat_intelligence/#threat-intelligence-sources | ||
| [3]: /security/threat_intelligence/#entity-types | ||
| [4]: /security/threat_intelligence/#threat-intelligence-categories | ||
| [5]: /security/threat_intelligence/#ip-addresses-dynamic-and-transient | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't find a guideline around capitalizing Preview/preview in our SG or Tech Content's, and i don't think we've been especially consistent (i just looked back at a few pages i knew were in preview). Lowercase seems preferable and somewhat more prevalent to me (i would also say the same for its counterpart "general availability"), and while I don't think this is a primary source of truth, it's all lowercase on this D4D page: https://datadoghq.atlassian.net/wiki/x/e4rliw.
I realize it's entirely possible and even likely that you've found precedent for capitalizing, so just calling out as a suggestion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for calling this out, Jeff! It's funny, when I started, it was really drilled into me that we always need to capitalize Preview, but now I can't find guidance about it either. Maybe it changed! I know the terminology around beta/preview/limited availability/etc. has changed quite a bit over time.