Intel Lake
Notice
This feature is available in Collaborate v3.7.1.0 onwards
The Intel Lake is a collection of threat intel such as indicators, vulnerabilities, malware, and other threat intel. To view the Intel Lake in the Member Portal, the feature has to be enabled in the Analyst Portal. For more information, contact your Collaborate administrator.
What are the use cases of Intel Lake?
A consolidated view of the threat intel in Collaborate helps members understand the threat intel type, associated confidence Score, TLP, and more.
Members can click a specific threat intel to view the basic and any additional details. For more information, see View Basic Details of Threat Intel Objects.
A visual representation of the threat intel enables members to view the associated threat intel objects. For more information, see View Relations of Threat Intel Objects.
To view Intel Lake in the Member Portal, navigate to Intel Lake in the sidebar. The Intel Lake listing page displays a maximum of 50,000 threat intel objects. Additionally, you can search for threat intel using the search and filter option.
Note
You can view Intel Lake dashboards by navigating to Dashboards > Intel Lake. For more information, see View Member Dashboards.
The Intel Lake listing page provides the following information about IOCs:
Displayed Column | Description |
---|---|
Value | Displays the actual value of the threat intel. For example, BlackGuard and Killnet. |
Type | Displays the type of threat intel. The different types are Indicator, Malware, Threat Actor, Vulnerability, Attack Pattern, Campaign, Course of Action, Identity, Infrastructure, Intrusion Set, Location, Malware Analysis, Observed Data, Tool, Report, Custom Object, Observable, Incident, Note and Opinion. |
Confidence Score | Displays the confidence score for the threat intel. The confidence score is a value between 0 and 100 that is automatically assigned to a threat intel object by the scoring engine. A confidence score of 0 suggests that it is safe. An increasing score up to 100 suggests that the IOC is highly malicious. Confidence scores are only displayed for intel-type indicators. |
TLP | Displays the Traffic Light Protocol value of the threat intel. For more information, see Traffic Light Protocol (TLP). |
Created Date | Displays the date when the threat intel is created. For example, Apr 26, 2023, 07:10 PM. |
Modified Date | Displays the date when the threat intel details are modified. |
IOC type | Displays the type of IOC. IOC type is displayed for intel objects which are indicators. For example, Domain, URL, IPv4 Address and SHA-1. |
View Basic Details of Threat Intel Objects
Click a threat data object to view the following details:
Basic Details: View basic information about the threat intel. The fields displayed in Basic Details are connected to the type of threat intel. For example, if the threat intel is an Indicator, the fields displayed are Confidence Score, Description, IOC Type, Value, TLP, Created, Modified, Country, Valid Until, Revoked, and Tags. Similarly, if the threat intel is Malware, a field called Malware Family is displayed along with other fields.
Note
If the threat intel has a description, you can fang and defang IOCs in the description using the Fang-Defang toggle.
Additional Details: View custom attributes for each threat intel. A custom attribute is additional information that provides context about the threat intel.
Relations: Displays a visual representation of the threat intel and its relation or connection to other threat intel. For more information, see View Relations of Threat Intel Objects.
View Relations of Threat Intel Objects
The Relations section provides a visual representation of the threat intel and its associated relations to other threat intel objects. This visualization enables members to get a contextual understanding of the threat intel for threat analysis. This in turn assists in understanding the potential impact on an organization, and proactively mitigating threats.
In Relations, you can view threat intel relations in the following ways:
Visualizer: View a graphical representation of the threat intel object and other related objects. To view the relation in a different visual layout, select different layouts such as Sequential, Lens, Hierarchy, and others. By default, the layout is Organic.
Hover or click the related threat intel object to view more details. Click Detailed View to open the selected threat object in a new tab. You can now view all available details of the object.
Table: View the relation between different threat intel objects in a table format.
Search and Filter Threat Intel Objects
You can filter threat objects using the CQL or basic search. Switch between the two options to search and filter threat object data according to your preference.
CQL: Use Cyware Query Language (CQL) search to perform advanced searches that include a combination of parameters and operators.
CQL grammar is a combination of parameters (Object Type, IOC Type, Confidence Score, and more), conditions (AND, IN, MATCHES, OR), and operators (=, >,<, >=, <=, !=, and more). For more information about CQL parameters supported in Intel Lake, see CQL Parameters.
Note
You can copy and share CQL queries with other members, enhancing collaboration.
BASIC: Switch from CQL to basic search to filter by the type, IOC type, TLP, created date, and modified date. For example, you can set the filter for Type as Indicator, IOC type as Domain, and TLP as RED. The search results display all domains with the TLP: RED.
To search for threat object data, type in the Type/ Select Filter and click Search. The search results are based on the value of the threat intel object.
To save a filtered search, click Save Search, and enter a name. This enables you to collate frequently searched threat intel and save time.
Your saved searches are available in the Saved Search section on the left. You can choose to remove the saved searches or rename them according to your preferences. Additionally, you can modify a saved search by changing the filters of the search. After changing filters, you can either create a new saved search or choose to update the existing saved search.
The following CQL parameters are supported in Intel Lake:
Parameter | Description | Example Query |
Type | STIX type of the threat data object which includes Indicator, Malware, Threat Actor, Vulnerability, Attack Pattern, Campaign, Course of Action, Identity, Infrastructure, Intrusion Set, Location, Malware Analysis, Observed Data, Opinion, Tool, Report, Custom Object, Observable, Incident, and Note. | Use 'Object Type' = "Indicator"to view all indicators. |
IOC Type | The different types of indicators of compromise (IOC). This includes Artifact, Autonomous System, Directory, Domain, Email address, Email message, Ipv4 address, Ipv6 address, Mac address, Mutex, Network traffic, Process, Software, URL, User account, Windows registry key, X509 certificate, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, and SSDEEP. | Use 'Object Type' = "indicator" AND 'IOC Type' = "ipv4 addr" to view indicators that IPv4 addresses. |
TLP | The set of designations that ensure sensitive information is correctly shared with the appropriate recipients. The available TLP values are Red, Amber, Green, White, and None. | Use 'Object Type' = "Malware" AND 'TLP' = "RED" to view malware classified as RED TLP. |
Confidence Score | The numerical assessment of the reliability of the threat data object. | Use 'Object Type' = "Indicator" AND 'Confidence Score' RANGE (10,90) to view the indicators that have confidence scores in the range of 10 and 90. |
Source Created | The date and time when the threat data object was reported by the source. | Use 'Object Type' = "indicator" AND 'Source Created' RANGE ("July 31, 2023, 12:00 AM", "August 15, 2023, 11:59 AM") to view indicators that were reported by a source on a given date range. |
Source Modified | The date and time when the threat data object was modified by the source. | Use 'Object Type' = "indicator" AND 'Source Modified' RANGE ("July 31, 2023, 12:00 AM", "August 15, 2023, 11:59 AM") to view indicators that were modified by a source on a given date range. |
System Created Date | The date and time of the threat data object creation. | Use 'Object Type' = "Malware" AND 'Created On' = "date" to view indicators created in Intel Lake on a particular date. |
System Modified Date | The date and time of the threat data object modification. | Use 'Object Type' = "Malware" AND 'Modified On' = "date" to view indicators modified in Intel Lake on a particular date. |
Valid From | The date and time from when the object type is valid. | Use 'Object Type' = "Indicator" AND 'Valid From' = "Date" to view indicators that are valid from a given date. |
Valid Until | The date and time until which the object type is valid. | Use 'Object Type' = "Indicator" AND 'Valid Until' = "Date" to view indicators that are valid until a given date. |
Tags | The text labels that are associated with the threat intel object. | Use 'Object Type' = "Vulnerability" AND 'tag' = "CVSS critical" to view vulnerabilities categorized as CVSS critical. |
Country | Countries associated with the threat intel object. | Use 'Object Type' = "Indicator" AND 'IOC Type' = "URL" AND 'Country' = "India" to view URLs from India. |
First Seen | The date and time when the threat object was first seen. | Use 'Object Type' = "Indicator" AND 'First Seen' = "Date" to view indicators that are first seen on the specified date. |
Last Seen | The date and time when the threat object was last seen. | Use 'Object Type' = "Indicator" AND 'Last Seen' = "Date" to view indicators that are last seen on the specified date. |
Revoked | Defines if the indicator is revoked. | Use Object Type' = "Indicator" AND 'Revoked' = "Yes" to view indicators marked as revoked. |
Value | The result data set includes numeric or text values for selected parameters. | Use 'Object Type' = "Indicator" AND 'Value' = "111.11.112.11" to see details of the indicator 111.11.112.11. |
Relation Created Date | The date and time of the relationship when it was created. | Use 'Object Type' = "Indicator" AND 'Relation Created Date' = 'Timestamp' to search for indicators with relations created on the specified timestamp. |
Relation Modified Date | The date and time of the relationship when it was modified. | Use 'Object Type' = "Indicator" AND 'Relation Modified Date' = 'Timestamp' to search for indicators with relations modified on the set date |
Relation Type | Defines the STIX relationship types. | Use 'Object Type' = "indicator" AND 'Relationship Type' = "targets" AND 'Related Object' = "malware" to view indicators that are related to a malware object by a particular relationship type. |
Related Object Property | Select a property of the related object to search for the relevant threat data objects. You can choose from object type, source, IOC type, source type, source collections, and more. | Use 'Object Type' = "Indicator" AND 'Related Object' = "Malware" AND 'Related Object Property: Source' = "Import" to view indicators that are related to a malware object received into the platform by importing intel. |
Related Object | Select the related object for the primary object. This allows you to focus on specific associations and refine your search. When you select a related object in a CQL query, all parameters defined after the related object are applied to the related object. | Use 'Object Type' = "Threat Actor" AND 'Relation Type' = "uses" AND 'Relation Object' = "Malware" to view threat actors that use a specific malware. |
Has Relations | Filter objects based on their relations with other objects. | Use 'Object Type' = "indicator" AND 'Has Relations' = "Yes" to view indicators that have relationships defined with other objects. |
Related Object Value | Enter the value of the related object to filter the relevant threat data objects. This parameter is useful when you want to filter objects related to an object with a specific value. You must provide a related object to use the related object value. | Use 'Object Type' = "Vulnerability" AND 'Related Object Type' = "Course of Action" AND 'Related Object Value' CONTAINS " google:chrome" to view vulnerabilities that are fixed by a specified browser. |
Custom Attribute | Threat data objects that have custom attributes. | Use 'Object Type' = "Vulnerability" AND 'Custom Attribute' = "zero_day" to view vulnerabilities that have the zero-day custom attribute. |
Custom Attribute Type | Enter the type of custom attribute to search for threat data objects that have the same custom attribute type. You must provide a custom attribute value to search for a custom attribute type. | Use 'Object Type' = "Vulnerability" AND 'Custom Attribute' = "cvss_v3_temporal_score" AND 'Custom Attribute type' = "Float" AND 'Custom Attribute Value' > "5" to view vulnerabilities where the CVSS V3 Temporal Score is greater than 5. |
Custom Attribute Value | Enter the specific custom attribute value to search for threat data objects that have custom attributes with the mentioned value. | Use 'Object Type' = "Vulnerability" AND Custom Attribute' = "zero_day" AND 'Custom Attribute Value' = "true" to view vulnerabilities that have the zero-day custom attribute and it is set to true. |
While creating saved searches, you can schedule email reports for the saved searches. This helps you stay notified if new entries are added to your saved searches over a period of time. Saved searches with a calendar icon signify that email reports are scheduled for it.
Before you Start
The email server must be enabled for you. For more information, contact your Collaborate administrator.
Steps
Select or type your query and click Save Search.
Enter the name of the report. To schedule an email report for the saved search, select the Schedule Report checkbox and click Save & Create Schedule. Use the following information while scheduling reports for saved searches:
Title: The title that you had previously entered for the saved search is automatically populated. You can retain this title or choose to rename the title. This title is displayed as the subject of the email report.
Start Date and Time: Specify the date and time from which the email report is generated. The default date and time is set to the next day.
Frequency: Set the report frequency for the specified duration. You can choose between Once, Hourly, Daily, Weekly, and Monthly. Based on your selection, you can select additional options for the report frequency. The default frequency is set to Once.
Duration of Data: Set the duration for which the report is generated.
Applies on: Select if the scheduled report applies on the system-created date of the indicators or the system-modified date.
Report Format: You can choose to receive the email report in CSV and XLS formats. The default report format is CSV.
Email Recipients: Select the email recipients for the scheduled report.
CSAP Users: Select the recipients from the dropdown. You can also choose to add recipients in CC and BCC.
Non-CSAP Users: To share the report with individuals outside Collaborate, enter up to five email addresses using a comma as a separator.
To schedule the email report, click Schedule.
After you have scheduled a report for a saved search, you can update, rename, and delete it according to your preference by navigating to Saved Search and clicking the vertical ellipsis.