I've created two new Reporter Module reports that will hopefully sort out hits for the RSA FirstWatch APT, Command and Control, Proxy and Fraud IP Threat Source Feeds available in Live.
These reports are of course dependent upon having the subscriptions to the RSA FirstWatch Threat Feeds.
These reports work more efficiently if the threat.source, threat.category and threat.desc Index Keys are set to IndexValues.
The problem these reports address is that viewing Threat Source Feed Descriptions in Investigator can be a little confusing as to who is reporting what. The issue is that Investigator meta is ordered in an unstructured and unsorted way. These reports structure the meta and sorts it according to description, by IP address and by Hostname, making the information a little more understandable.
If you subscribe to these feeds, please install and run these reports. Be on the lookout for any meta that more than two threat sources agree is malicious. There is a link in the reports to email the FirstWatch team feedback, which is appreciated.