Bulk searching

Everything included

Often security data is messy and can include other things not relevant to our intended outcome. A great example of this is a threat report from a trusted colleague, consultant, or a trust group like an ISAC. Typically, the relevant IoCs would be stripped/copied from the report and placed into categories such as hashes, network indicators, & other attributes to be enriched elsewhere. Then each IoC is searched individually or by type to see if any of these IoCs (or any variants there of) have ever been observed in your environment. Can we do this better? You bet...

In this example we will use the Decrypted: Akira Ransomware report from Avast.

If we visit the link for the report, we find a well documented report of this ransomware variant that is estimated to be a 7 minute read. There is quite a bit there but we are mainly interested in the IoCs they shared and instead of copying and pasting each or a handful of indicators we are simply going to copy the whole page... (control + A)

Rather than extracting out the IoCs we care about, we are going to paste the entire page contents into the search bar and see what happens.

Stairwell parses out all the relevant indicators for you and performs a bulk search on every file in your environment (in our case 0.09 seconds)

This is exactly the same match we saw in the first screen and we didn't need to do any parsing, defanging, regexing, or data clean up to perform what should be a simple search. It's almost silly its so easy and intuitive. Try it for yourself and see if it saves you some time and frustration.