Aggregate threat intelligence from multiple sources. Look up IPs, domains, and hashes across threat intel feeds.
Threat intelligence aggregation collects, normalizes, and correlates threat data from multiple sources — open-source feeds, commercial providers, government advisories, industry sharing groups (ISACs), and internal security tools — into a unified view of the threat landscape. Individual threat feeds provide fragments of the picture; aggregation assembles them into actionable intelligence.
Security teams are overwhelmed by the volume of threat data available. Thousands of indicators of compromise (IOCs), vulnerability advisories, and threat reports are published daily. Without aggregation and correlation, analysts cannot distinguish signal from noise or prioritize the threats most relevant to their organization.
| Source Type | Examples | Data Provided | Cost |
|---|---|---|---|
| Open-source feeds | AlienVault OTX, Abuse.ch, PhishTank | IOCs, malware hashes, phishing URLs | Free |
| Commercial feeds | Recorded Future, Mandiant, CrowdStrike | Curated intelligence, attribution, TTPs | $10K-$500K+/year |
| Government | CISA KEV, FBI Flash, NSA advisories | Vulnerability alerts, threat actor TTPs | Free |
| ISACs | FS-ISAC, H-ISAC, IT-ISAC | Industry-specific threats and indicators | Membership-based |
| Internal | SIEM alerts, incident data, honeypots | Organization-specific threat data | Existing infrastructure |
| Dark web | Monitoring services | Leaked credentials, planned attacks, exploit sales | Varies |
The tool supports five main IOC types: IP addresses, domain names, URLs, file hashes (including MD5, SHA-1, and SHA-256), and email addresses. Each IOC type is automatically detected when you add indicators manually or through bulk import.
The bulk import feature allows you to paste any text containing threat intelligence, such as security reports or IOC lists. The tool automatically extracts IP addresses, domains, URLs, hashes, and emails from the text using pattern matching, then adds them to your database with medium severity and manual-bulk source tagging.
You can export IOCs in four formats: CSV for spreadsheet analysis, JSON for programmatic use, plain text for simple lists, and STIX 2.1 for industry-standard threat intelligence sharing. STIX exports include TLP (Traffic Light Protocol) markings for data classification.
The confidence score (0-100%) indicates how reliable an IOC is based on its sources. Manually added IOCs receive 75% confidence by default, while bulk imports get 60%. IOCs from multiple sources receive higher confidence scores, and the score is automatically adjusted based on corroboration across different feeds.
Threat intelligence feeds are external sources that automatically provide updated IOC data. The Feed Management tab shows all configured feeds with their status, last update time, and IOC counts. You can add new feeds, trigger manual updates, and configure feed settings to customize data ingestion.
Yes, the Collections feature allows you to group IOCs by campaign, incident, or any custom criteria. Collections help organize your threat intelligence for specific investigations or use cases. Each collection tracks its IOC count and last update time, making it easy to manage multiple concurrent investigations.