Threat Intelligence

The Threat Intelligence page provides centralized management of Indicators of Compromise (IOCs) collected from 27+ external threat intelligence feeds. It enables IOC search, enrichment, feed health monitoring, and correlation with internal alerts.

IOC Management

IOC Types

IP Addresses (IPv4/IPv6) — Malicious IPs, C2 servers, scanners
Domains — Phishing, malware distribution, C2 domains
File Hashes (SHA-256, MD5, SHA-1) — Malware samples, suspicious files
URLs — Malicious URLs, exploit kit landing pages
Email Addresses — Phishing senders, spam sources

IOC Table

Sortable table showing:

Indicator value
Type (IP, domain, hash, URL, email)
Source feed
Confidence score
First seen / Last seen
Associated threat tags

Filtering

Filter by IOC type (IP, Domain, Hash, URL, Email)
Filter by source feed
Full-text search across indicator values
Confidence score range

Feed Management

27+ Integrated Feeds

Core Feeds (API key required):

AlienVault OTX — Community-driven IOC sharing
AbuseIPDB — IP abuse reporting and blacklist
VirusTotal — Multi-engine malware analysis
GreyNoise — IP noise classification

abuse.ch Ecosystem (free):

URLhaus, ThreatFox, MalwareBazaar, Feodo Tracker, SSL Blacklist

Open Source Feeds (free):

EmergingThreats, Blocklist.de, CINSscore, DShield, PhishTank, OpenPhish, Spamhaus DROP, and more

Feed Cards

Each feed displays:

Name, description, and category
Status (Active/Inactive/Error)
Last sync time
IOC count collected
Enable/disable toggle

Scheduler

The platform checks every 5 minutes for feeds due for synchronization. Each feed has its own sync interval (hourly, daily, or custom).

Statistics

Metric	Description
Total Active IOCs	Count of currently active indicators
By Type	Breakdown by IP, domain, hash, URL, email
By Source	IOC count per feed
New This Week	Recently added indicators

Access Requirements

Threat Intelligence requires the Respond (MDR) tier or above.

For technical details on feed collection, see Threat Intelligence Feeds.