Bring Your Own Threat Intel (BYOTI)
detectors byoti threat intelligence
The Bring Your Own Threat Intel Detector enables you to integrate Threat Intel indicator lists and generate alerts when those indicators are found in normalized telemetry. The following indicator types are accepted:
- IP Address
- Domain
- URL
- Filehash (SHA1, SHA256, MD5)
At least one of the following Threat Intel integrations are required for these alerts to be generated:
Note
The Preview release is limited to 10,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.
Important
Alerts generated by the BYOTI Detector are considered a type of custom alert and are not triaged by Secureworks. For more information, see How are custom rules supported in ManagedXDR.
Inputs ⫘
Telemetry normalized into XDR schemas
Outputs ⫘
Alerts pushed to the Secureworks® Taegis™ XDR Alert Database and XDR Dashboard. Alerts are grouped by agent/sensor ID and indicator.
"detector_id":"app:detect:byoti",
"detector_name":"Bring Your Own Threat Intelligence"
MITRE ATT&CK Category ⫘
Not applicable at this time
FAQ ⫘
Is there a strategy for what Threat Intel indicators should be ingested into XDR? ⫘
The BYOTI Detector generates alerts when an indicator is found in normalized telemetry. Therefore, to avoid noise and false positives, it is important to only load trusted indicators that have been through some level of validation and that need to be alerted upon.
Good indicator feeds should be based on first-hand observations, be recent and not stale, be high fidelity and not false-positive prone, and have appropriate context to act on any alerts. Recent observations of known command-and-control domains or IPs where attempted connections to these indicators would uncover a compromised host are an example of good indicators to alert on.
Important
Do NOT include SSH/FTP/HTTP or other external Internet scanners. This activity is expected to be occurring against external-facing infrastructure and alerting upon this activity is extremely noisy.
Why does an indicator shown as malicious by a third party not show up in CTU’s Threat Intelligence? ⫘
CTU focuses on being a primary source of malicious indicators based on their own observations and telemetry. CTU validates and curates all of their indicators to ensure XDR finds the balance between identifying threat actor activity and generating noise for customers. CTU does add, process, and validate some trusted third-party indicators to their intelligence feeds, but does not pass wholesale feeds of crowdsourced indicators into their intelligence, as these indicators are often lacking context and hard to validate.