[Intelmq-users] Updating datastores

Chris Horsley chris.horsley at csirtfoundry.com
Fri Sep 14 03:28:05 CEST 2018 

Expiring indicators needs some careful thought in my experience.

There are some threat intelligence platforms which have a well-integrated way to do this using a relevancy half-life time per feed or indicator. If the half-life you set for a feed is one month, it starts at 100% relevancy, after one month it's 50%, after two months it's 25% etc.

Over time, indicators get a less relevant score, but are not deleted by default.  Sometimes, you might want to do a search for all indicators over all time (e.g. you're coming up with the complete history for an ASN / registrar / URL pattern). Other times, you might want to only export IP addresses with a time relevancy score over 70% to your network appliance to keep the list small and useful.

The trick is that different types of indicators from different feeds probably need different expiry windows. There might also be different use cases for the same data where you want to filter based on timeliness / relevancy.

Chris

> On 12 Sep 2018, at 8:15 pm, L. Aaron Kaplan <kaplan at cert.at> wrote:
> 
> Signed PGP part
> 
>> On 12 Sep 2018, at 10:23, Sebastian Wagner <wagner at cert.at> wrote:
>> 
>> Hi,
>> 
>> How do IOCs expire?
>> 
> 
> Well I can imagine a scenario where you fetch for example IP addresses via intelMQ
> from a blacklist and you want to expire them at some point (to be defined by the blacklist and/or the user of intelmq).
> 
> So, I do see a use-case here.
> 
> 
>> Sebastian
>> 
>> On 12/09/2018 03.22, joanna at scate.tech wrote:
>>> Hi,
>>> 
>>> Is there a way of updating outputs such as databases when IOCs expire?
>>> Don't want to spend time re-inventing the wheel.
>>> 
>>> Thanks.
>> 
>> --
>> // Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
>> // CERT Austria - https://www.cert.at/
>> // Eine Initiative der nic.at GmbH - https://www.nic.at/
>> // Firmenbuchnummer 172568b, LG Salzburg
>> 
>> 
>> --
>> Listen-Einstellungen:
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
> 
> 
> --
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - https://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> 
> 
> 
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20180914/9c509c2a/attachment.sig>

More information about the Intelmq-users mailing list