A Threat Feed Hit /Artifact dashboard would be a very useful tool

When assessing the operation and usefulness of Threat Feeds it would be very helpful to have some kind of 'dashboard' that would indicate the status and effectiveness of Threat Feeds - both built-in and custom.

 

Such a dashboard should provide data on the volumes of Artifacts queried per Threat Source, ideally in time buckets and available as on-screen tables/graphs and for download as csv and/or Excel.  The proportion of queries resulting in Hits should be available.  The figure for the total number of Artifacts and Incidents with Artifacts should be available, to provide a baseline for the proportion of Incidents having Artifacts and the distribution of Artifacts per Incident.

 

These figures should be available per Threat Feed and in aggregate.  Pie charts would be a nice feature!

 

A further refinement would be to break down Hits into first-time and refresh hits.  This would allow users to explore how effective the refresh feature for Threat Feeds is in practice.

 

The parameters for the refresh of Artifacts across Threat Feeds should be available and ideally modifiable on the dashboard.

 

If it were possible to filter on Active/Closed Incident status for most of the above that would be well worthwhile also.

 

I am sure a dashboard with these features would enable users to make better use of Artifacts and the Threat Feeds that they enable or create.

  • Guest
  • Jan 24 2020
  • Future consideration