Adding IOCs to Redline

Threat intelligence can also be utilized with Redline. Redline allows searching for IOCs through a collector, or IOCs can be loaded and searched in an existing memory capture. For example, if analysts would like to search for matching IOCs in a memory image, they would first open the memory image:

  1. In the lower-left corner, click on the IOC Reports tab. This will create a new button titled Create a New IOC Report.

The following window will appear:

Redline has the ability to ingest IOCs within the OpenIOC format. Analysts should create a folder on their system where the IOC files can be placed, as Redline will not read a single file but all IOC files within the folder.

  1. Click on Browse and navigate to the IOC folder. Then, IOCs are loaded and specific information is loaded into the Redline platform:

  1. Clicking on OK runs the IOCs against the memory capture. Depending on the number of IOC files and the memory image, this could take several minutes. Then, once completed, the IOC Report will be listed under the Analysis Data section. Any hits on the IOCs will be listed there:

Next, we will look at two integrated tools called Yara and Loki.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.