Netica CTI - Speed Up Investigation
Athena CTI is a plugin for elasticsearch. It maps & tags every IP address and DNS hostnames within the pipeline of Packetbeat or Logstash, before the data is saved to elasticsearch.
Aggregated & Validated - Data of Athena CTI is aggregated from our proprietary research and open sources. It is updated periodically, normalised to one format and applied to each IP address and DNS hostname on the fly.
Passive DNS - Resolved DNS hostname(s) from your network
IP Enrichment - IP Whois Organisation, IP Scope & Geo Location
Reputation - Known Good & Known Bad
- Tags historical DNS resolution(s) for every IP address on the fly.
- Showing exactly where a certain domain led in the past in your network.
- Without Passive DNS - it’s very difficult to know which DNS hostname(s) was pointed for an IP address, especially during the time of the infection.
- With Passive DNS - it's easy to find out network traffic without associated DNS hostnames (e.g. HTTP browsing based on IP address).
- Fully automatic - no more manual reverse lookup of IP addresses, one by one.
- IP scope - Private IP addresses, Broadcast addresses & Link-local Addresses are pre-defined.
- IP geo location - Resolved for every Internet IP address on the fly, if applicable.
- IP whois organisation - Resolved for every Internet IP address on the fly, if applicable.
- Fully automatic - no more manual lookup for each IP address, one by one.
Reputation - IP & DNS hostnames
- Tags Known Good and/or Known Bad for each IP address and DNS hostname on the fly.
- Known Good - you may stop investigating if an IP address or DNS hostname is known good.
- Known Bad - much faster identification of an incident.
- Risk Scores - more known good or more know bad.
A working CTI
- (Example - Known Good) IP Address: 188.8.131.52
- IP Geo Location: US
- IP Whois Organisation: Google LLC
- DNS Hostname: www.youtube.com., android.l.google.com., ...
- Reputation Whitelist (Known Good): "key": "www.youtube.com.", "date": "2018-09-13", "score": 75, "desc": "Top 100K"
- Reputation Blacklist (Known Bad): Nil
- (Example - Known Bad) IP Address: 138.68.52.xx
- IP Geo Location: US
- IP Whois Organisation: DigitalOcean, LLC
- DNS Hostname: Nil
- Reputation Whitelist (Known Good): Nil
- Reputation Blacklist (Known Bad): "key": "138.68.52.xx", "date": "2019-07-22", "score": -100, "desc": "malicious site - shell bot"