Threat Intelligence Platform
STIX/TAXII feed management, IOC lifecycle management, multi-source enrichment, cross-correlation with alerts/incidents, and STIX 2.1 export.
Complete 5 Feed Types 7 IOC Types STIX 2.1Overview
The Threat Intelligence Platform (TIP) is the central hub for managing external threat intelligence feeds and Indicators of Compromise (IOCs). It supports multiple feed formats (TAXII, STIX, CSV, JSON, API), provides a full IOC lifecycle (creation, enrichment, correlation, expiry, whitelisting), and enables cross-correlation of IOCs against alerts and incidents in the SOC.
Enrichment integrates with multiple external sources (VirusTotal, AbuseIPDB, Shodan, URLScan.io, MalwareBazaar, NVD, CISA KEV, HaveIBeenPwned, EmailRep) to boost IOC confidence scores and provide actionable context.
What Was Proposed
- Multi-format feed support: TAXII 2.x, STIX bundles, CSV, JSON API, raw API
- Full IOC lifecycle: create, update, enrich, expire, whitelist, mark as false positive
- 7 IOC types: IP, domain, hash_md5, hash_sha256, URL, email, CVE
- TLP classification (WHITE, GREEN, AMBER, RED) with STIX marking definitions
- Multi-source enrichment with confidence score adjustment
- Cross-correlation against alerts and incidents with risk scoring
- STIX 2.1 bundle export
- Dashboard statistics and feed health monitoring
- Bulk IOC import
- Full-text search across IOC values, tags, and context
What's Built
Feed Management
Supported Feed Types
| Type | Description | Auth Options |
|---|---|---|
taxii | TAXII 2.x collection endpoints | api_key, certificate |
stix | STIX 2.1 bundle files | certificate, basic |
csv | CSV-format IOC lists (e.g., URLhaus) | none |
json | JSON API responses (e.g., CISA KEV) | none, api_key |
api | REST API endpoints (e.g., AlienVault OTX) | api_key |
Demo Feeds (Pre-seeded)
| Feed | Type | Polling | TLP |
|---|---|---|---|
| AlienVault OTX | api | 30 min | WHITE |
| MISP Threat Sharing | stix | 60 min | AMBER |
| Abuse.ch URLhaus | csv | 15 min | WHITE |
| CISA KEV | json | 24 hours | WHITE |
| FS-ISAC Threat Intel | taxii | 2 hours | AMBER |
IOC Enrichment Sources
IP Enrichment
- VirusTotal -- Malicious detection count, categories
- AbuseIPDB -- Abuse confidence, reports, ISP, usage type
- Shodan -- Open ports, OS, known vulnerabilities
Domain / URL Enrichment
- VirusTotal -- Detection count, categories
- URLScan.io -- Verdict, screenshot, technologies
Hash Enrichment
- VirusTotal -- Detection count, malware family, file type
- MalwareBazaar -- Known malware flag, signature, delivery method
CVE / Email Enrichment
- NVD -- CVSS v3, EPSS score, CWE, references
- CISA KEV -- KEV status, due date, ransomware use
- HaveIBeenPwned -- Breaches, pastes
- EmailRep -- Reputation, disposable flag, domain age
Architecture
TIP Architecture
Feeds (5 types) → ThreatIntelFeedService → IOC Store (in-memory) → Enrichment (9 sources) → Correlation Engine → Risk Scoring
Singleton: threat_intel_service. Confidence auto-adjusts on enrichment (+5-15 points). Correlation risk score: confidence * 0.6 + sightings * 0.3 + matched_alerts * 10.
API Routing
Router prefix: /api/v1 — Tag: threat-intelligence
Feed Endpoints
GET
/api/v1/threat-intel/feeds
List all feeds. Filter:
?status=active|error|disabled
GET
/api/v1/threat-intel/feeds/health
Feed health status: last poll, overdue status, error rate, IOC count.
GET
/api/v1/threat-intel/feeds/{feed_id}
Get specific feed details.
POST
/api/v1/threat-intel/feeds
Add a new feed. Body: name, feed_type, url, enabled, polling_interval, auth_type, tlp, tags[].
PATCH
/api/v1/threat-intel/feeds/{feed_id}
Update feed configuration (name, url, polling_interval, auth_type, tlp, tags).
POST
/api/v1/threat-intel/feeds/{feed_id}/toggle
Enable or disable a feed.
POST
/api/v1/threat-intel/feeds/{feed_id}/poll
Trigger manual poll of a feed. Returns new IOC count and IDs.
IOC Endpoints
GET
/api/v1/threat-intel/iocs
List IOCs. Filters: type, source, status, confidence_min, search. Pagination: skip, limit (max 500).
GET
/api/v1/threat-intel/iocs/{ioc_id}
Get IOC details including enrichment data and related alerts.
POST
/api/v1/threat-intel/iocs
Create IOC manually. Body: type, value, source_feed, confidence, tlp, severity, tags[], context, expiry.
POST
/api/v1/threat-intel/iocs/bulk
Bulk import IOCs. Body: iocs[] array of IOC objects.
PATCH
/api/v1/threat-intel/iocs/{ioc_id}
Update IOC (confidence, tlp, severity, tags, context, status).
POST
/api/v1/threat-intel/iocs/{ioc_id}/enrich
Enrich IOC with external sources. Returns enrichment data and updated confidence.
POST
/api/v1/threat-intel/iocs/{ioc_id}/expire
Mark IOC as expired.
POST
/api/v1/threat-intel/iocs/search
Full-text search across values, tags, and context. Body: query string.
Correlation & Analytics
POST
/api/v1/threat-intel/correlate
Correlate IOCs against alerts and incidents. Body: ioc_ids[] (empty = all). Returns risk scores and recommendations.
GET
/api/v1/threat-intel/stats
Dashboard stats: total IOCs, breakdowns by type/source/status/severity/TLP, avg confidence, active feeds.
POST
/api/v1/threat-intel/export/stix
Export IOCs as STIX 2.1 bundle. Body: ioc_ids[] (empty = all). Includes TLP marking definitions.
Frontend Route
/threat-intel — Full TIP dashboard with feed management panel, IOC browser with filters, enrichment details, correlation results, and statistics.
Prerequisites
- No external database required -- IOC store is in-memory (singleton pattern)
- For production enrichment: API keys for VirusTotal, AbuseIPDB, Shodan, URLScan.io
- Network access to feed URLs from the API container
- Pydantic v2 for request validation (
model_dump())
Data Model
In-memory dataclasses (not persisted to DB in current implementation):
ThreatFeed
{
"id": "string",
"name": "string",
"feed_type": "taxii|stix|csv|json|api",
"url": "string",
"enabled": true,
"polling_interval": 3600,
"last_poll": "ISO 8601|null",
"ioc_count": 0,
"status": "active|error|disabled",
"auth_type": "none|api_key|basic|certificate",
"tlp": "WHITE|GREEN|AMBER|RED",
"tags": ["string"],
"created_at": "ISO 8601"
}IOC
{
"id": "string",
"type": "ip|domain|hash_md5|hash_sha256|url|email|cve",
"value": "string",
"source_feed": "string (feed ID or 'manual')",
"confidence": 0-100,
"tlp": "WHITE|GREEN|AMBER|RED",
"severity": "low|medium|high|critical",
"first_seen": "ISO 8601",
"last_seen": "ISO 8601",
"expiry": "ISO 8601|null",
"tags": ["string"],
"context": {},
"status": "active|expired|false_positive|whitelisted",
"sightings": 0,
"related_alerts": ["string"]
}CorrelationResult
{
"ioc_id": "string",
"ioc_value": "string",
"ioc_type": "string",
"matched_alerts": [],
"matched_incidents": [],
"risk_score": 0.0,
"confidence": 0,
"recommendation": "CRITICAL|HIGH|MEDIUM|LOW: ..."
}UI Description
The frontend at /threat-intel presents a full TIP dashboard:
- Statistics Cards -- Total IOCs, by type breakdown, active feeds count, average confidence, high-confidence IOC count
- Feed Management -- List of feeds with status indicators, toggle enable/disable, manual poll trigger, health monitoring
- IOC Browser -- Filterable table with type icons (Globe for domain, Hash for hash, etc.), confidence bars, severity badges, TLP labels, sighting counts
- IOC Details -- Expandable detail view with enrichment data, related alerts, context metadata, action buttons (Enrich, Expire, Whitelist)
- Correlation View -- Risk score visualization, matched alerts/incidents, automated recommendations
- Search -- Full-text search across IOC values, tags, and context
Source Files
| Component | Path |
|---|---|
| API Router | platform/api/app/routers/threat_intel.py |
| Service | platform/api/app/services/threat_intel_feeds.py |
| Frontend Page | platform/frontend/src/app/threat-intel/page.tsx |