Skip to content
/ ioc-matching Public
generated from databricks-industry-solutions/industry-solutions-blueprints

IOC matching for incident responders, threat hunters, detection engineers, and security engineers.

License

View license
14 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

databricks-industry-solutions/ioc-matching

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
00_config.py
00_config.py
 
 
01_setup_test_data.py
01_setup_test_data.py
 
 
02_ioc_matching.py
02_ioc_matching.py
 
 
03_dlt_ioc_matching.sql
03_dlt_ioc_matching.sql
 
 
04_dlt_summary_table.sql
04_dlt_summary_table.sql
 
 
05_insert_new_data.py
05_insert_new_data.py
 
 
06_verify_dlt.py
06_verify_dlt.py
 
 
07_multicloud.py
07_multicloud.py
 
 
08_handling_ioc_updates.sql
08_handling_ioc_updates.sql
 
 
09_dlt_ioc_matching_historical.sql
09_dlt_ioc_matching_historical.sql
 
 
10_discoverx_ioc_search.py
10_discoverx_ioc_search.py
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
RUNME.py
RUNME.py
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

DBR CLOUD POC

Indicator-of-Compromise (IOC) Matching

Contact Author: cybersecurity@databricks.com

Use Cases

  • Schema-agnostic IOC matching scan: During an incident response (IR) engagement, an analyst or incident responder might want to perform an ad hoc scan of all the data (logs, telemetry, etc.) in a security lakehouse for a given list of atomic Indicators-of-Compromise (IOCs) without the need to have deep understanding of the table schemas. The 02_ioc_matching notebook addresses this use case.
  • Continuous IOC matching: The approach in the 02_ioc_matching notebook can be easily adapted to perform incremental or continuous IOC matching using Delta Live Tables (DLT). An example is given in the 03_dlt_ioc_matching notebook.
  • Ad hoc historical IOC search: Historical IOC search at interactive speeds can be done using summary tables constructed using DLT. An example is given in the 04_dlt_summary_table notebook. The 06_verify_dlt notebook provides a series of steps to verify the DLT capabilities.
  • Multi-cloud/region federated query: Log ingestion and IOC matching can happen in each cloud or region without incurring egress costs. Hunting and triage of IOC hits can use federated queries from a single workspace to get results back from the workspaces in each cloud or region. The 07_multicloud notebook demonstrates the use of multi-cloud and multi-region federated queries.
  • Fully-automated continuous IOC matching with continuous IOC updates: The streaming IOC matching approach in the 03_dlt_ioc_matching notebook and the summary table approach in the 04_dlt_summary_table notebook can be combined and extended to fully automate the IOC matching process even when the curated set of IOCs are constantly updated. In particular, when a new IOC is added, not only should newly ingested log data be matched against the new IOC, but the historical data needs to be matched against the new IOC. The 08_handling_ioc_updates notebook demonstrates these concepts.

Running this solution accelerator

  • The main entry point is the 02_ioc_matching.py notebook.
  • The entry point for the multi-cloud use case is the 07_multicloud.py notebook.
  • The entry point for the continuous IOC matching with continuous IOC updates use case is 08_handling_ioc_updates.sql notebook.

About

IOC matching for incident responders, threat hunters, detection engineers, and security engineers.

Topics

incident-response forensics cybersecurity threat-hunting dlt indicators-of-compromise databricks-industry-solutions detection-e

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

14 stars

Watchers

1 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages