Powered by the new Cisco Umbrella Investigate On-Demand Enrichment API
We are pleased to announce three updates for Investigate users. For security teams using The Hive-Cortex for threat intelligence, a new analyzer for Investigate is now available in Cortex. In addition, for security teams using Maltego, there is a new transform option now available. The new transform for Cisco Umbrella Investigate joins the Cisco Threat Grid transform. Powering these integrations is a new package, the Cisco Umbrella Investigate On-Demand Enrichment API.
Cisco Umbrella Investigate On-Demand Enrichment API
This new entry-level Cisco Umbrella Investigate API package makes it easy for organizations to integrate Investigate threat intelligence with their SIEM, TIP and other security orchestration tools such as Cortex and Maltego. The API allows analysts to access Investigate’s intelligence on-demand and includes a quota of up to 2000 requests a day.
TheHive-Cortex Analyzer – Investigate
We are committed to advancing security-related open source technology initiatives and we are excited to offer integration with TheHive, a popular and powerful open source threat intelligence sharing platform (MISP compliant). Cortex is The Hive’s observable analysis engine, which over the past few years has increased the number of its analyzers to over 100.
Why use the Investigate analyzer?
The Investigate analyzer helps TheHive-Cortex users easily create, enrich, and share observables.
Create and enrich domain observable
Create and enrich hash observable
Maltego Transform for Investigate
For years security teams have relied on Maltego for graphing of various types of entities, such as domains, IPs, and registrants. With the new Investigate transform, security practitioners can have more meaningful and complete visualizations of how various threat intelligence components are connected.
Why use the Investigate Transform for Maltego?
The Investigate transform helps Maltego users discover hidden but useful details that security teams want when exploring domains, IPs, and other threat intelligence entities. In addition to enabling pivoting between known and new connections between domains and IPs on the same infrastructure, the Investigate transform shows relationships between domains that do not share the same hosting infrastructure.
Typically, calls by malicious entities such as malware on a compromised, or other attacker controller machines, to a malicious domain are quickly preceded or followed by calls to other such domains. This relationship is difficult to expose, but Investigate has rich intelligence at a global level via the Cisco Umbrella resolvers to capture these co-occurring requests. Co-occurrences provides incident responders and threat hunters alike a new way of identifying and preventing potential attacks by identifying domains looked up in rapid succession of a given domain. (For more details about co-occurrences, please see “Discovering Malicious Domains Using Co-Occurrences”).
Summary
Cisco Umbrella Investigate threat intelligence data is now more accessible than ever with the integrations of TheHive and Maltego. Coupled with the new Cisco Umbrella Investigate On-Demand Enrichment API, more organizations can establish and conduct faster, effective incident response and threat hunting operations.
Getting Started
TheHive and Cortex are free to use (GNU 3.0).
Maltego Community Edition free to use. Maltego Classic is $999.
Users will need an Investigate API key to use the Investigate Cortex Analyzer or the Investigate Maltego transform (Request a trial of Cisco Umbrella with Investigate).
Are you working on a security research project? Please reach out to the Cisco Umbrella Investigate team to see how Investigate can advance your research project.
Related Resources
- https://blog.thehive-project.org/
- https://github.com/TheHive-Project/TheHive
- https://github.com/TheHive-Project/Cortex
- https://en.wikipedia.org/wiki/Maltego
- Maltego Transform for Cisco Umbrella Investigate: https://github.com/opendns/opendns_transform
