FalconFriday — Using public intelligence feeds to improve detections — 0xFF22

Post-Image

FalconFriday — Using public intelligence feeds to improve detections — 0xFF22

Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules around them and then automatically update these watchlists to keep our rules up to date with minimal effort.

For this, we will use a publicly available dataset which attempts to keep track of known C2 servers. 

Now, to manage your expectations: the data we will be using is gathered on a best-effort basis, but is by no means complete. There will be C2 frameworks which are not detected by this feed, as well as implementations which are hidden sufficiently that they will not show up.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-using-public-intelligence-feeds-to-improve-detections-0xff22-69b8eaccfae3

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday