Endpoint Telemetry without Threat Intelligence

[faisalusuf]

Hi,

The SO support MISP integration for NIDS alerts. I wonder when endpoint logs (Wazhu, Sysmon, OSquery) contains filehashes, process information. How SO can alert when a known malicious filehash is report to SO. Without threat intelligence will there be any alert ?

The case is a malicious file is executed on an endpoint but no network traffic generated because of network level filtering (firewall rule for example). In this case even the host has malware but there will be no alert due to absence of threat intelligence and correlation mechanism. This will be the case ?

Thanks,

[weslambert]

There is nothing built-in at the moment, but that does not mean you could not use something like an Elastalert rule or translate filter for the time being to perform correlation/lookups. I'll be updating the docs soon for more information around MISP, TI integration.