AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources

circle
circle
  AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack
 

"Is there an integration that brings in assets related to this query? What is the data model for the  assets that support this query?"

Find (professional_association|
security_forum|threat_intel_source)

--Question from Bob on the J1 Community Slack

 

Answer from the JupiterOne Team

Hi Bob. There is no out-of-the-box integration for this data at this moment. We do have plans to add threat intel sources later. The data referenced are added via custom scripts. Examples are on our GitHub repo

The suggested data model is as follows:

Entities:

_type: 'professional_association'
_class: 'Organization'

_type: 'security_forum'
_class: 'Channel' or 'Feed' or 'Website'

_type: 'threat_intel_source'
_class: 'Channel' or 'Feed' or 'Subscription'

Relationships:

`professional_association` HAS `employee` (someone is a member)
`Person` or `Team` SUBSCRIBES (to) `security_forum | threat_intel_source`

 

For example, if members of the security team have CISSP certs and are part of the (ISC)2 organization, this can be captured in YAML as such:

- entityKey: org:isc2
entityType: professional_association
entityClass: Organization
properties:
name: ISC2
displayName: (ISC)2, Inc.
description: >
The World's Leading Cybersecurity Professional Organization
website: https://www.isc2.org
members:
- jon.smith@yourcompany.com
- employee.two@yourcompany.com

 

Using the CLI, this can be easily pushed into your J1 account. In the above example, there is mapping rule in place to automatically create the relationship between the organization, and any Person entity with email address matching those in the members property. You can of course create the Organization entity in the Asset Inventory app via the UI as well.

Thanks for the question.

Articles in this Series

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support team.

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks

Resources for this AMA

 

Modern Visibility in Cyberseccurity

 

 

avatar

Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.