Security Operations Intelligence Investigations

Leverage SecOps Intel for Greater Insights

Security Operations Intelligence provides insight into the existence of system compromises by helping teams investigate potentially malicious indicators. This information can help you understand how to triage incidents and whether or not to escalate them to incident response (IR).

If your organization does find malicious indicators through Intelligence Search, additional investigation can help build a case for the IR team to perform threat hunting against historical logs. These indicators can also be shared with security engineers to update firewall rules to proactively block an attack.

How Do These Investigations Work?

The ZeroFox platform collects data from thousands of sources of known malicious indicators, including Command and Control (C2) domains and IP addresses, malware and ransomware file hashes, botnet host machines, and compromised account credentials. ZeroFox also collects thousands of Indicators of Compromise (IoCs) each day via our Global Disruption Network (GDN), which are saved when ZeroFox customers request takedowns of malicious domains that are flagged by the platform.
Create queries based on indicators seen in alerts from the ZeroFox platform and your SIEM, EDR, or other detection tools and save relevant IoCs into Investigations that can be shared with others on your team.
If desired, export the results into CSV format that allows for ingestion into a variety of other tools, such as a TIP, SOAR, or SIEM for further analysis and processing in order to complete the investigation.

How ZeroFox Monitors These Threats

How This Intelligence Enhances Digital Risk Protection

Security Operations Intelligence can help organizations understand how to triage an incident related to a potentially malicious domain, and whether escalation to IR is necessary. With domain protection, the ZeroFox platform identifies potentially malicious websites that may lead to multi-channel attacks, phishing campaigns, compromised credentials, fraud and scams, and major damage to a brand’s reputation.

Features and Benefits Include:

Faster decision-making: Quickly understand whether an alert should be escalated based on known malicious indicators.
Quarantine botnet-infected hosts: Discover “zombie” machines in your network that are operating as part of a botnet and quarantine them to prevent further damage.
A single comprehensive interface: Collect and correlate disparate threat data in one place.

Hear from a Current On Demand Investigations Customer

The University of St. Andrews gains the information they need to make security decisions using ZeroFox intelligence solutions, helping keep their targeted board members safe in ever-changing online and real-world situations.

When to Use Security Operations Intelligence

Data Source: Indicators, Compromised Credentials

Insights: Identify the known malicious IP address and find compromised account credentials in a recent Botnet breach log.

Outcomes: Add Malicious IP addresses to firewall rules for blocking, do a password reset for compromised account credentials, and enroll compromised account in multi-factor authentication (MFA).

Data Source: Indicators

Insights: The IP address has results newer than 30 days, so the user should take action.

Outcomes:

If it’s an instance of phishing that a user in the network is communicating with, have the user change their password and block the IP and related domain at their firewall.
If the indicator is a botnet infected host, review logs to see if it’s part of a DDoS or some other common attack leveraged by bots.
If it’s associated with a command and control, and a host in the network is communicating with it, the host should be quarantined and escalated to IR.

Data Source: Compromised credentials, Botnet compromised credentials

Insights: Compromised email is confirmed.

Outcomes:

If the email is compromised and has a unique-looking password, it can be pivoted on to find other emails that leverage this. Common human behavior is to use the same password, which allows for credential stuffing. In this case, it’s used to pivot to find additional details about the identity of the actor.
This may eventually lead to an email address with a name included.
Users could also pivot from the email to see if there are social accounts leveraging the email and find out if there is an PII leaked on there that could be used to identify the person of interest.

Data Source: Indicators, Botnet Compromised Credentials

Insights: You find that a host in your network is compromised.

Outcomes: Quarantine the host and escalate to DFIR.

What's Next? ZeroFox Intelligence Solutions

Threat Intelligence Search

Anytime access
Augment alerts in the ZeroFox platform
Add context to alerts from your SIEM, XDR, etc.
Access a wide range of Global Finished Intelligence
Save your findings as an Investigation & share with other stakeholders

Enhance Your DRP Security with Threat Intel Search and On Demand Investigation Credits

Intelligence Search - Self Service
Gain anytime access to our vast threat data lake to perform your own investigations.
On Demand Investigations - Full Service
Our expert team is ready when needed to produce finished intelligence to support more complex assessments and investigations.

With ZeroFox Intelligence, you can quickly and completely answer any questions your security team, or leadership, needs assistance with.

Learn About More Ways Intelligence Search Will Help You Stay Ahead of Threats

Deep & Dark Web Emerging Threat Security Operations Third Party Vendor Vulnerability