Here is my situation. I have a feed from a commercial threat intel provider that matches IPs and domains to threat actors.
I'm in the investigate module, investigating an alert on a dst.ip address that is alerting to a particular threat group, let's say APT1. The source of the event is from the firewall stating that the proxy server is connecting to the dst.ip
From local knowledge, I know the src.ip is the proxy server. the proxy server is generating logs to NetWitness but there is no connection between the src.ip and hostname of the proxy server. What I mean is that when I click on the alert for APT1, I see the firewall log entry stating that src.ip (proxy) connected to dst.ip (threat ioc) on port 443 but there is no corresponding proxy log as well.
What would be a way to join, connect, pivot (whatever the correct term) the proxy log data with the firewall data?
I don't think the proxy log is sending the src.ip, just the hostname or otherwise I'd assume I'd see that connection.
I'm going to assume the correct answer (correct me if I'm wrong) that I need to generate some common meta between the two to be able join the two together. If that's the case, would it be with a list in context hub, or a custom feed that has the ip and hostname of the proxy server or maybe some app rules to be able to get that connection.
Hope that makes sense, thanks for the help.
You could do this several ways, a few of which you mention.
A feed will be the simplest, most efficient option and will likely be most usefull overall.
I'd also recommend that you do this not just for your proxy server, but all of your known/important/at-risk entities in your environment (servers, users, business units, facilities, etc.).
The more (accurate) context you have, the better.