Environment
Question
Why are cbfeeds better than creating a watchlist for a list of hashes, ips or domains?
Answer
- IOC based feeds (outside of query) run at ingress and have a better chance of alerting you faster than a watchlists running every 10 minutes
- Copying and pasting a list of IOCs has a high probability of capturing line feeds (%A0) after each entry, this can cause Solr to search across each file type for every entry, especially when md5: for example is not in front of each
- Overall management, it's much easier to add, update and delete a feed with a large list of IOC's than a watchlist
- A score can be added to each individual report, making alerts easier to take action on by severity