What is an IoC?
An indicator of compromise (IoC) is a forensic term that refers to evidence on a device that points out a security breach. This data is gathered after a suspicious incident, security event, or unexpected call-outs from the network.
Common examples of IoCs include IP addresses, domain names, file hashes, URLs, and others.
What is an event?
In the context of this product, an event is a grouping of indicators of compromise (IoCs) that are related to each other according to some criterion. The specific criterion used for these groupings may vary, and is defined by the event creator. For example, the Axur Research Team (ART) may create an event grouping all IoCs related to a malware campaign.
What can I do with IoCs?
Checking them regularly is a critical practice to enhance cybersecurity and prevent potential attacks. By utilizing IoCs, one can develop smarter tools that can identify and isolate suspicious files or activities that may pose a threat.
They can serve as important pieces of information for members of information security and IT teams to detect malicious activity on the network at an early stage, allowing them to stop potential attacks before they can compromise the entire network.
They can also help prevent future attacks by adding them to security controls such as firewalls and intrusion detection systems. IoCs can be integrated with many tools and platforms such as MISP, SIEMs, SOAR, and XDR, among others.
IoCs can and should be used not only in cybersecurity but also in anti-fraud processes. To that end, non-technical IoCs, such as a Social Security Number (SSN), for example, can be very useful.
How can Axur help with IoCs?
You can call the ART team to help you with integrations and/or investigations by requesting an investigation.
What are IoC tags?
Labels that are used to help categorize IoCs. Right now, these tags are only added by IoC creators, and cannot be edited by users of the platform.
What are IoC types?
Categories of IoCs, such as IP addresses, domain names, file hashes, and URLs.
What are the sources used to create the IoC feed?
The Axur IoC feed is automatically populated through the bulletins created within the Cyber Threat Intel (CTI) environment. Our platform integrates intelligence from multiple open and proprietary sources, carefully curated by the Axur Research Team (ART).
In addition to internal bulletins, we use automated collectors that extract IoCs from various specialized threat intelligence sources, including public malware repositories, ransomware campaigns, and malicious URLs.
How to configure MISP?
Import Indicators of Compromise (IoCs) from Axur's Threat Intelligence platform into your MISP instance.
MISP does not have stable native support for consuming data directly from TAXII 2.x servers.
To integrate the IoCs provided by Axur via the STIX/TAXII API, we recommend using a custom script to periodically collect and import the data.
Prerequisites
Python 3.7+
Access to a MISP instance
Axur TAXII API token
Download the file axur_ioc_misp_importer.py.
Installation
# Install required packages
pip install pymisp taxii2-client
# Permissions
chmod +x axur_ioc_misp_importer.py
Usage
Basic Import (All IOCs)
python3 axur_ioc_misp_importer.py \
--misp-url https://your-misp.local \
--misp-key YOUR_MISP_API_KEY \
--axur-token YOUR_AXUR_TOKEN
Import Last 7 Days Only
python3 axur_ioc_misp_importer.py \
--misp-url https://your-misp.local \
--misp-key YOUR_MISP_API_KEY \
--axur-token YOUR_AXUR_TOKEN \
--days-back 7
Import with Limit
python3 axur_ioc_misp_importer.py \
--misp-url https://your-misp.local \
--misp-key YOUR_MISP_API_KEY \
--axur-token YOUR_AXUR_TOKEN \
--limit 1000
Custom Confidence Threshold
python3 axur_ioc_misp_importer.py \
--misp-url https://your-misp.local \
--misp-key YOUR_MISP_API_KEY \
--axur-token YOUR_AXUR_TOKEN \
--confidence 70
Automated Imports (Cron)
Add to crontab for daily imports:
# Edit crontab
crontab -e
# Add: Import daily at 2 AM, last 24 hours only
0 2 * * * /usr/bin/python3 /path/to/axur_ioc_misp_importer.py --misp-url https://misp.local --misp-key KEY --axur-token TOKEN --days-back 1
Supported IOC Types
IP addresses (IPv4/IPv6)
Domain names
URLs
File hashes (MD5, SHA1, SHA256)
Email addresses
Configuration
Edit the script to customize:
DEFAULT_TAGS: Tags applied to all imported events
DEFAULT_CONFIDENCE_THRESHOLD: IDS flag threshold
IOC_TYPE_MAPPING: MISP attribute types and categories
If you have any questions, feel free to reach out at [email protected] 😊