Although Blue team members have numerous malicious samples on hand, they often don't have enough time to analyze all of them. On the other hand, they may be interested in a particular malware family, but the number of samples at hand is insufficient. To solve these problems, this lecture will introduce a completely automated process to help blue team members convert these raw data into usable detection rules more efficiently and apply them in the real situation.

The process starts with connecting VirusTotal to our sandbox to obtain large amount of samples. At the same time, we summarize the common reasons for those samples which failed to run by the sandbox and improve the efficiency of the sandbox. Then, we will explain how to utilize these ready-made data for further analysis and research to generate practical intelligence. The intelligence includes various information such as API, Strings, and IoC. Finally, we will discuss how to convert the generated intelligence into detection rules like Yara, or Sigma to improve cyber resilience.