Work with Threat Reports

Threat reports let you store indicators of compromise -- file hashes, IP addresses, hostnames, and more -- and continuously match them against every object collected in your private Stairwell data lake. Use them to track specific campaigns, monitor threat intelligence feeds, or investigate incidents.

Create a Threat Report

  1. Log in to Stairwell.
  2. Click the Threat Reports icon in the left navigation sidebar.
  3. Click the + icon in the upper-right corner to open the creation form.
  4. Fill in the report details:
    • Name -- A descriptive title for the report.
    • Description -- Context about the threat or campaign the report tracks.
    • IOCs -- Paste or upload hashes, IPs, hostnames, or other indicators.
    • Sample file(s) -- (Optional) Attach reference samples.
    • YARA file(s) -- (Optional) Attach YARA rules associated with the threat.
  5. Select the correct Environment if you have access to more than one.
  6. Click Create.

Once created, Stairwell automatically matches the report's IOCs against all ingested objects on an ongoing basis.

View Threat Reports

  1. Log in to Stairwell.
  2. Click the Threat Reports icon in the left navigation sidebar. The reports list displays all reports in the selected environment.
  3. Toggle between row and grid views using the layout icons near the top-right of the report list.
  4. Click any report to open its detail view, which shows matched objects, IOC breakdowns, and associated samples.

Filter Threat Reports

Filtering helps you narrow down a large list of reports to find exactly what you need.

  1. Navigate to the Threat Reports page.
  2. Use the filter controls at the top of the list to refine results by:
    • Report Name -- Search by keyword in the report title.
    • Release Range -- Restrict to reports created or updated within a date range.
    • With matches only -- Show only reports that have matched at least one object in your environment.
    • With IOCs only -- Show only reports that contain IOCs.
    • Source -- Filter by the origin of the report (e.g., internal, Stairwell Threat Research, third-party feed).

Combine multiple filters to quickly locate specific reports during active investigations.