Enrichments: Add Threat Intelligence To Any Spreadsheet
We're excited to announce the new Enrichments feature in Gigasheet. Enrichments allow you to add Threat Intelligence to your data right in your Gigasheet.
Before co-founding Gigasheet, I spent more than a decade at Recorded Future where I'd often meet people who had a seemingly simple task: they had a massive list of data points they wanted to enrich with threat intel. Sounds easy enough, right? Unfortunately this was waaay more painful than it should be. Unless you've pre-loaded the data into dedicated monitoring machinery or have sharp coding skills and enough time it is an onerous undertaking.
At Gigasheet, we're passionate about helping security analysts find insights in huge data sets. We knew there should be an easier way, and now there is.
Imagine you have a long list of IPs from a proxy, firewall, or other log file. Let's say you have 22 million of them. You want to know if any of these IPs show up in any of the top free Threat Intelligence feeds. You can do that in Gigasheet in 4 clicks.
Here we take a 22 million row conn.log file from Zeek and enrich the responding host IP addresses against 15 of the top OSINT threat feeds with our free U-235 Enrichment. There’s nothing to set up, configure, or install. You can follow the same steps to enrich data with GEOIP, Grey Noise, and Recorded Future!
Before Gigasheet, these were the typical approaches we saw in the industry.
Splunk or SIEM
If you have access to Splunk or a SIEM, you may be able to analyze this gigantic list of 22 million IPs. Most SIEMs are tightly managed for cost and compliance reasons, so be sure to get signoff from all the proper authorities along the way. Once you have the approvals, configure and set up each of the 15 Threat Intelligence feeds. If you have intelligence from a premium provider, you’ll likely need to download and install their app or integration. Now that you finally have everything set up, you’ll need to load the file. Be sure to configure the ingest with the proper format or template. Next do cross-lookup or correlation on threat intel feeds. To synthesize the results, you’ll likely want to do some kind of tally or scoring to determine how “bad” an IP address is. Godspeed!
Unfortunately this process is rarely straightforward. Many SOC leaders would be less than happy to have you load a huge list of IPs ad-hoc, even more threat intel, and then just "poke around." So this approach isn't ideal if it's a one-off file analysis.
Write a script
If you're not using Gigasheet, this is probably your best bet. With some coding skills you can write a small program that will fetch the data from each of the 15 services and vendor APIs. Even if you possess these skills, few people actually do this because it’s time consuming and error prone. Don’t forget to test and debug, and remove any miscellaneous header information from each of the feeds. Heck, if you're daring, you could even write a script for Excel or Google Sheets, but you'll still be limited to around 1 million rows at best. So you’ll need to replicate this 22 times.
Most information security folks have some command line and coding capabilities, but most are not data scientists. If you can do this, congratulations! You should definitely ask for a raise.
Try a TIP (or better, don't)
TIPs (Threat Intelligence Platforms) typically allow users to correlate multiple paid and free threat feeds, set up some rules, and then pipe the resulting data to Splunk or a SIEM (they do a lot of other stuff too which I won't get into here). Some TIPs allow you to correlate your own log data. The effort it takes to install and configure these systems to work properly isn't worth the effort for a one-off analysis. If you have a dedicated threat intel team, that's a different story, but for most organizations the juice ain't worth the squeeze.
Give Gigasheet a try for yourself. We'd love your feedback. You can request access to our private beta on our home page.