Difference: HiddenCobraThreat (r4 vs. r3)

The US CERT provided IOC?s that can be used to detect North Korean Malicious Cyber Activity referred as HIDDEN COBRA.

For more information about HIDDEN COBRA, please visit https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

ArcSight converted the official IOC?s to CSV?s that can be imported to Activate Threat Intelligence Active Lists.

Files (Attached to this page, see bottom):

  • TA17-318A_suspicious_addresses_list.csv TA17-318A_suspicious_addresses_list.csv
  • TA17-318A_suspicious_entities_list.csv TA17-318A_suspicious_entities_list.csv
  • TA17-318B_suspicious_addresses_list.csv TA17-318B_suspicious_addresses_list.csv
  • TA17-318B_suspicious_entities.csv TA17-318B_suspicious_entities.csv
  • TA17-164A_suspicious_addresses.csv TA17-164A_suspicious_addresses.csv
  • TA17-164A_suspicious_entities.csv TA17-164A_suspicious_entities.csv

Follow these steps to manually add the provided IOC?s to the Activate Threat Intelligence Active Lists.

* Navigate to Active Lists/Shared/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings.

* Right click on Suspicious Addresses List and click on Import CSV File?

* Select the correct CSV file, for the Suspicious Addresses list select the suspicious_addresses_list.csv file and click on Open

* Verify the data with the Import Preview and click on Import

* Verify if the data is imported into the Suspicious Addresses List, right click on Suspicious Addresses List and click on Show Entries.

* After importing the suspicious_addresses_list.csv files, the Suspicious Addresses List should be filled with the HIDDEN COBRA IOC?s

* Repeat the above steps for the other suspicious_addresses_list.csv files.
* The suspicious_entities_list.csv files needs to be imported into the Suspicious Entities List.

After importing suspicious_entities_list.csv files, the Suspicious Entities List should be filled with the HIDDEN COBRA IOC?s

IAttachmentActionSizeDateWhoComment
TA17-164A_suspicious_addresses.csvcsvTA17-164A_suspicious_addresses.csvmanage 135.9K 22 Nov 2017 - 18:34BartOtten HIDDEN COBRA
TA17-164A_suspicious_entities.csvcsvTA17-164A_suspicious_entities.csvmanage 2.5K 22 Nov 2017 - 18:34BartOtten HIDDEN COBRA
TA17-318A_suspicious_addresses_list.csvcsvTA17-318A_suspicious_addresses_list.csvmanage 33.9K 22 Nov 2017 - 18:31BartOtten HIDDEN COBRA
TA17-318A_suspicious_entities_list.csvcsvTA17-318A_suspicious_entities_list.csvmanage 4.0K 22 Nov 2017 - 18:33BartOtten HIDDEN COBRA
TA17-318B_suspicious_addresses_list.csvcsvTA17-318B_suspicious_addresses_list.csvmanage 34.7K 22 Nov 2017 - 18:34BartOtten HIDDEN COBRA
TA17-318B_suspicious_entities.csvcsvTA17-318B_suspicious_entities.csvmanage 12.1K 22 Nov 2017 - 18:34BartOtten HIDDEN COBRA

View topic | View difference side by side | History: r4 < r3 < r2 < r1 | More topic actions
 
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback