Watchlists/IOC Monitoring Flashcards
IOC WatchLists
IOC monitoring is an important part of security operations and can help alert security analysts to malicious activity by monitoring for the presence of any precursors or indicators of compromise across the environment. Watchlists are typically created in either the SIEM or EDR platform (or both).
This allows Threat Exposure Checks (TECs) to be conducted continuously without a need for a human threat intelligence analyst to perform the searches themselves, freeing them up to work on more important tasks.
Let’s go through an example to demonstrate how this capability could be utilized within a Security Operations Center:
Example – Malicious IP Watchlist
A Threat Intelligence Analyst is given a list of IP addresses that have been acting malicious (used for command-and-control, scanning IPs, used to host malware, etc). The Analyst decides to create a watchlist within their SIEM platform to generate an alert whenever a malicious IP address is observed as either the Source or Destination IP.
This alert fires when an employee clicks a malicious link in a phishing email, taking them to a web server hosted on one of the monitored IPs that is used to distribute malware. A Security Analyst opens the alert and can determine what has happened and can take action to protect the user.
