Collection Management
High level diagram
TODO
Source documentation
Internal data
All fetched via Splunk atm
- Okta logon activity
- Zoom meetings
- Recently seen FQDNs from Cisco Umbrella
- Recently seen IPs from Carbonblack
- Recently seen process executions from Santa
- Jamf host + app inventories
- TheHive alerts
- Jira SECHD + IT tickets
- OpenCTI (recently updated IOCs)
- GitHub repositories + their dependencies
External sources
Meaning: fetched on a schedule
- AbuseIPDB IP addresses
- Cloudflare + Cisco Top 1 million domain lists
- VirusTotal data (file metadata)
- VirusTotal Livehunt alerts
- Cloudflare BGP hijacking events
- Abuse.ch ThreatFox IOCs
- RSS feeds (50+) which are getting scrapped with iocparser.com
- URLscan Phishlist
- Rekt.news and Slowmist Hacked articles
- ZeroFox Alerts
Enrichment sources
- Spur.us for IP addresses
- VirusTotal for IPs/files/domains
- Cisco Umbrella for pDNS and WHOIS
- IPInfo + Maxmind for GeoIP
- Shodan for IP services
- Censys for IP services (still being improved)
Backlogged sources
- Internal: Proofpoint email metadata
- Internal: Workday data
- External: sandbox submissions to Hatching Triage