Configure exposure#
The intelligence value of exposed entities may be leveraged to initiate or to drive follow-up actions. For example, triggering a detection event in a malware detection application downstream in the system; or a prevention event such as creating a firewall rule; or a community event such as sending a notification message to inform other parties about the possible threat the entity represents. Exposed entities hold intelligence value that is not consumed.
The EclecticIQ Intelligence Center tracks entity types that match defined exposure criteria to assess if the organization is leveraging the intelligence value of the tracked entities. This is achieved by routing the data to detection or prevention systems, or by sharing the information through outgoing feeds or published intelligence reports.
Note
Sightings are indicators of exposure, they record observations of potentially malicious objects within the organization.
To define exposure criteria, do the following:
To modify exposure behavior, click the Settings tab, then click Edit exposure settings.
In the Entity types field, from the drop-down menu select one or more entity types to include in the exposure configuration.
To remove a selection, go to the item(s) you want to remove, and click the cross icon x.
In the Entity age field, enter an integer value. The Intelligence Center will track for exposure only entities that are not older than the number of days specified.
Click Save.
To configure exposure for outgoing feeds, do the following:
In the Exposure view click the the Outgoing feeds
Caution
An unused outgoing feed, or a wrongly mapped outgoing feed, may be flagged as exposed.
Map each outgoing feed to the purpose they serve in a risk mitigation context.
For example, if you are publishing an outgoing feed to an external detection system the outgoing feed data is used to detect potential threats.
For each outgoing feed, the following options are available:
Detect: the outgoing feed publishes content to an external detection system.
This approach is described as reactive de-risking, feed data is used to detect potential threats that have infiltrated your organization.
Prevent: the outgoing feed publishes content to an external prevention system.
This approach is described as proactive de-risking, feed data is used to prevent potential threats from attacking your organization.
Community: the outgoing feed publishes content to an external information distribution system.
This approach is described as knowledge sharing, the feed is used to share CTI with other parties within or outside the organization.
N.A.: the outgoing feed does not publish to any external system.