New CVEs found alert for assets
21 July 2024
After some elaborate restructuring of data and indexes it is finally here: CVE alerts.
There is a new index called
cves_assets which keeps tracks of CVEs found per asset.
As you know, an asset is either a host (ip address) or url (website or certificate). Any software found on an asset that has a version number is checked for CVEs and the results are stored in the cves_assets index. You can use the following query to create alerts for High and Critical CVEs:
index=cves_assets cvss_score>=7 first_seen>-24h
Of course, there's also a template alert for this available in the
alerts library.
Restructuring indexes
09 July 2024
Although it might not look like it yet, there is a lot going on. Alerts on newly found CVEs, a feature requested by several of you, requires quite some restructuring of indexes before it can be build. That restructuring has been done now. The new indexes are getting filled up and work on the final step is underway.
More restructuring is underway in the IP address context data. The new version is way more efficient and will allow more features, but requires some major code refactoring. I'll keep you posted.
New IP info endpoint
10 June 2024
If you collect threat intelligence from communities or OSINT, you will be familiar with false positives. Unroutables IP addresses, common DNS servers, rapidly changing cloud IP addresses listed as evil IoCs for long periods. A lot of the information to properly detect and score IoCs is available, so why not expose this? That is what the new
ip info endpoint is about.
This is still quite new and in development, but I'm hoping to do more with it. This means adding more useful information to the ip info endpoint to support more use cases, and maybe at some point even plugins/apps/connectors for common Threat Intelligence Platforms and SIEMs.