Skip to main content

Overview

UTMStack’s Threat Intelligence integration provides real-time access to threat feeds that enrich security alerts with global threat context. By correlating your organization’s security events with known indicators of compromise (IOCs), threat actor tactics, and emerging threats, you can make faster and more informed security decisions.
The Enterprise version includes frequent threat intelligence updates with additional premium feeds and automated enrichment capabilities.

Key Capabilities

IOC Matching

Automatically match IPs, domains, file hashes, and URLs against global threat intelligence feeds.

Threat Context

Enrich alerts with threat actor attribution, campaign information, and attack methodologies.

Real-Time Updates

Continuously updated threat feeds ensure you’re protected against the latest threats.

Historical Analysis

Query historical threat data to understand long-term trends and emerging threat patterns.

Threat Intelligence Module

Access the Threat Intelligence interface at /threat-intelligence to:
  • View recent threat intelligence updates
  • Search for specific IOCs across all feeds
  • Investigate threat actor profiles and campaigns
  • Analyze threat trends over time
  • Export threat data for sharing with partners

Supported Indicators

UTMStack correlates multiple indicator types:
  • IP Addresses: Known malicious IPs, C2 servers, proxy networks
  • Domain Names: Malicious domains, phishing sites, DGA domains
  • File Hashes: MD5, SHA1, SHA256 hashes of known malware
  • URLs: Malicious URLs, exploit kits, phishing links
  • Email Addresses: Known spam senders, phishing campaigns

Alert Enrichment

When an alert matches threat intelligence, it’s automatically enriched with:
  • Threat Classification: Malware family, threat type, attack category
  • Severity Adjustment: Confirmed threats may increase alert severity
  • Attribution: Known threat actor groups or campaigns
  • References: Links to detailed threat reports and analysis
  • First/Last Seen: When the indicator was first and last observed globally
Alerts enriched with threat intelligence should be prioritized for investigation, as they represent confirmed threats rather than anomalous behavior.

Threat Activity Dashboard

The platform includes specialized dashboards for threat intelligence:
  • View threat activity correlated with your alerts
  • Track trending threats affecting your organization
  • Analyze geographic distribution of threat sources
  • Monitor threat feed coverage and match rates

Integration with Detection

Threat intelligence enhances threat detection by:
  1. Automatic Alert Generation: Create alerts when IOCs are detected in logs
  2. Reputation Scoring: Assign risk scores to IPs, domains, and files
  3. Watchlists: Monitor specific indicators of interest
  4. Correlation Rules: Use threat intel as conditions in custom rules

Feed Management

Configure and manage threat intelligence feeds:
  • Built-in Feeds: Pre-configured feeds from trusted sources
  • Custom Feeds: Add your own threat intelligence sources
  • Feed Prioritization: Configure which feeds take precedence
  • Update Frequency: Control how often feeds are refreshed
Enterprise users receive more frequent updates and access to premium threat intelligence feeds with deeper context and faster indicator delivery.

Threat Hunting

Use threat intelligence proactively for threat hunting:
  • Search historical logs for past occurrences of newly discovered IOCs
  • Identify potential compromises that pre-date indicator publication
  • Build custom queries combining threat intel with log data
  • Export findings for incident response activities

Best Practices

Maximize Threat Intelligence Value
  1. Regularly review threat intelligence matches to validate accuracy
  2. Add organization-specific IOCs to custom feeds
  3. Use threat intelligence to prioritize vulnerability patching
  4. Share relevant threat intel with your industry sector
  5. Integrate threat intel into incident response playbooks
  6. Monitor false positive rates and tune feed selection accordingly

API Integration

Threat intelligence can be accessed via API for:
  • Enriching external security tools
  • Automated threat hunting scripts
  • Integration with ticketing systems
  • Sharing IOCs with partners and MISPs

Enterprise Features

The Enterprise version adds:
  • Faster Updates: More frequent feed refreshes for emerging threats
  • Premium Feeds: Access to commercial threat intelligence providers
  • AI Enhancement: Machine learning models trained on threat intelligence
  • Advanced Correlation: Deeper integration with correlation engine

Technical Implementation

References:
  • Threat Intelligence Module: frontend/src/app/threatwind/
  • Threat Intelligence Route: frontend/src/app/app-routing.module.ts:144
  • Threat Activity Templates: backend/src/main/resources/templates/reports/customs/threatActivityForAlerts.html

Build docs developers (and LLMs) love

Get started for freeTalk to us