Community Defined Threats (CDT)
Community Defined Threat (CDT)
Community Defined Threats (CDT) is a feature for managing custom threat intelligence. It allows you to define and share lists of indicators of compromise (IOCs), such as malicious domains, IP addresses, or file hashes. You can use these threats to proactively defend your network by creating alerts whenever an asset in your environment interacts with a known bad indicator. You can either create your own threats or subscribe to lists shared by Rapid7 and other community members.
These detection rules are configured to alert once an hour, grouped by indicator, indicator_type, and asset.
To learn more about configuring CDT, read Utilize Existing Threats .
User Behavior - Account Visits Suspicious Link (CDT)
Description
A user has accessed a URL link on the tracked threat list.
Community Defined Threats (CDT) is a feature for managing custom threat intelligence. It allows you to define and share lists of indicators of compromise (IOCs), such as malicious domains, IP addresses, or file hashes. You can use these threats to proactively defend your network by creating alerts whenever an asset in your environment interacts with a known bad indicator. You can either create your own threats or subscribe to lists shared by Rapid7 and other community members.
This detection rule is configured to alert once an hour, grouped by indicator, indicator_type, and asset.
To learn more about configuring CDT, read Utilize Existing Threats .
Recommendation
Conduct a thorough review of the endpoint responsible for the network traffic to confirm if the activity is malicious. Should the endpoint be identified as compromised, it must be rebuilt from a known, secure image, and the user’s password must be changed to prevent further access.
MITRE ATT&CK Techniques
- Application Layer Protocol - T1071
User Behavior - Ingress From Community Threat (CDT)
Description
A user has logged onto the network using an IP address that is part of a currently tracked threat.
Community Defined Threats (CDT) is a feature for managing custom threat intelligence. It allows you to define and share lists of indicators of compromise (IOCs), such as malicious domains, IP addresses, or file hashes. You can use these threats to proactively defend your network by creating alerts whenever an asset in your environment interacts with a known bad indicator. You can either create your own threats or subscribe to lists shared by Rapid7 and other community members.
This detection rule is configured to alert once an hour, grouped by indicator, indicator_type, and asset.
To learn more about configuring CDT, read Utilize Existing Threats .
Recommendation
Review the user’s recent authentication history to identify any unusual activity. Validate whether the user’s access from the specific source or public IP address is authorized. If the activity is suspicious, immediately disable the account, require a password reset, and consider implementing multi-factor authentication to better protect against brute-force and phishing attacks.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
User Behavior - Network Access For Tracked Threat List (CDT)
Description
A user has accessed a domain or IP address on the tracked threat list.
Community Defined Threats (CDT) is a feature for managing custom threat intelligence. It allows you to define and share lists of indicators of compromise (IOCs), such as malicious domains, IP addresses, or file hashes. You can use these threats to proactively defend your network by creating alerts whenever an asset in your environment interacts with a known bad indicator. You can either create your own threats or subscribe to lists shared by Rapid7 and other community members.
This detection rule is configured to alert once an hour, grouped by indicator, indicator_type, and asset.
To learn more about configuring CDT, read Utilize Existing Threats .
Recommendation
Conduct a thorough review of the endpoint responsible for the network traffic to confirm if the activity is malicious. Should the endpoint be identified as compromised, it must be rebuilt from a known, secure image, and the user’s password must be changed to prevent further access.
MITRE ATT&CK Techniques
- Application Layer Protocol - T1071
User Behavior - Suspicious Process Hash Discovered (CDT)
Description
An asset has been found with a process hash on the tracked threat list. Community Defined Threats (CDT) is a feature for managing custom threat intelligence. It allows you to define and share lists of indicators of compromise (IOCs), such as malicious domains, IP addresses, or file hashes. You can use these threats to proactively defend your network by creating alerts whenever an asset in your environment interacts with a known bad indicator. You can either create your own threats or subscribe to lists shared by Rapid7 and other community members.
This detection rule is configured to alert once an hour, grouped by indicator, indicator_type, and asset.
To learn more about configuring CDT, read Utilize Existing Threats .
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Malware - T1588.001