AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources

[Deleted User]
edited March 11 in Security Operations

"Is there an integration that brings in assets related to this query? What is the data model for the  assets that support this query?"

Find (professional_association|
security_forum|threat_intel_source)

-- Bob

Comments

  • Hi Bob. There is no out-of-the-box integration for this data at this moment. We do have plans to add threat intel sources later. The data referenced are added via custom scripts. Examples are on our GitHub repo

    The suggested data model is as follows:

    Entities:

    _type: 'professional_association'
    _class: 'Organization'

    _type: 'security_forum'
    _class: 'Channel' or 'Feed' or 'Website'

    _type: 'threat_intel_source'
    _class: 'Channel' or 'Feed' or 'Subscription'

    Relationships:

    `professional_association` HAS `employee` (someone is a member)
    `Person` or `Team` SUBSCRIBES (to) `security_forum | threat_intel_source`

     

    For example, if members of the security team have CISSP certs and are part of the (ISC)2 organization, this can be captured in YAML as such:

    - entityKey: org:isc2
    entityType: professional_association
    entityClass: Organization
    properties:
    name: ISC2
    displayName: (ISC)2, Inc.
    description: >
    The World's Leading Cybersecurity Professional Organization
    website: https://www.isc2.org
    members:
    - [email protected]
    - [email protected]

     

    Using the CLI, this can be easily pushed into your J1 account. In the above example, there is mapping rule in place to automatically create the relationship between the organization, and any Person entity with email address matching those in the members property. You can of course create the Organization entity in the Asset Inventory app via the UI as well.

    Thanks for the question.

    See the original post on the JupiterOne blog.