The US CERT provided IOC’s that can be used to detect North Korean Malicious Cyber Activity referred as HIDDEN COBRA.

For more information about HIDDEN COBRA, please visit

ArcSight converted the official IOC’s to CSV’s that can be imported to Activate Threat Intelligence Active Lists.

Files (Attached to this page, see bottom):
  • TA17-318A_suspicious_addresses_list.csv
  • TA17-318A_suspicious_entities_list.csv
  • TA17-318B_suspicious_addresses_list.csv
  • TA17-318B_suspicious_entities.csv
  • TA17-164A_suspicious_addresses.csv
  • TA17-164A_suspicious_entities.csv
Follow these steps to manually add the provided IOC’s to the Activate Threat Intelligence Active Lists.

* Navigate to Active Lists/Shared/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings.

* Right click on Suspicious Addresses List and click on Import CSV File…

* Select the correct CSV file, for the Suspicious Addresses list select the suspicious_addresses_list.csv file and click on Open

* Verify the data with the Import Preview and click on Import

* Verify if the data is imported into the Suspicious Addresses List, right click on Suspicious Addresses List and click on Show Entries.

* After importing the suspicious_addresses_list.csv files, the Suspicious Addresses List should be filled with the HIDDEN COBRA IOC’s

* Repeat the above steps for the other suspicious_addresses_list.csv files.
* The suspicious_entities_list.csv files needs to be imported into the Suspicious Entities List.

After importing suspicious_entities_list.csv files, the Suspicious Entities List should be filled with the HIDDEN COBRA IOC’s

Topic attachments
I Attachment Action Size Date Who Comment
TA17-164A_suspicious_addresses.csvcsv TA17-164A_suspicious_addresses.csv manage 135.9 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
TA17-164A_suspicious_entities.csvcsv TA17-164A_suspicious_entities.csv manage 2.5 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
TA17-318A_suspicious_addresses_list.csvcsv TA17-318A_suspicious_addresses_list.csv manage 33.9 K 22 Nov 2017 - 18:31 BartOtten HIDDEN COBRA
TA17-318A_suspicious_entities_list.csvcsv TA17-318A_suspicious_entities_list.csv manage 4.0 K 22 Nov 2017 - 18:33 BartOtten HIDDEN COBRA
TA17-318B_suspicious_addresses_list.csvcsv TA17-318B_suspicious_addresses_list.csv manage 34.7 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
TA17-318B_suspicious_entities.csvcsv TA17-318B_suspicious_entities.csv manage 12.1 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: r2 - 22 Nov 2017, BartOtten


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback