FalconFriday — Using public intelligence feeds to improve detections — 0xFF22
FalconFriday — Using public intelligence feeds to improve detections — 0xFF22
Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules around them and then automatically update these watchlists to keep our rules up to date with minimal effort.
For this, we will use a publicly available dataset which attempts to keep track of known C2 servers.
Now, to manage your expectations: the data we will be using is gathered on a best-effort basis, but is by no means complete. There will be C2 frameworks which are not detected by this feed, as well as implementations which are hidden sufficiently that they will not show up.
Cross post from medium.com, please read the full article here:
Direct link to our Github page: