Threat Intelligence

Best-of

MISP · AlienVault OTX · abuse.ch

Module

nexus_secops/threatintel.py

Edition

Pro/Enterprise (advanced-rules gate for matching)

API

/api/v1/ti/iocs · /ti/import · /ti/scan · /ti/matches

What it does

Threat Intel keeps a database of IOCs — ip, domain, url, md5, sha1, sha256 — and extracts the matching observables from your real events. A match becomes a high-severity alert (NEXUS-TI-001) that flows into XDR and SOAR. Private/local IPs and junk are rejected so the store stays clean.

How to use it

POST /api/v1/ti/iocs   { "iocs": ["203.0.113.66", {"value":"evil-c2.example","threat":"cobalt-strike"}] }

POST /api/v1/ti/import   { "url": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
                           "fmt": "text", "threat": "feodo" }

POST /api/v1/ti/scan   { "lookback": 604800 }   # the last week

What it produces

• A ioc_match event → alert NEXUS-TI-001 on every real-telemetry hit.
• An audit trail of matches in /ti/matches (deduplicated per IOC + event).
• IOC stats (counts by type, total matches) for the dashboard.

How it feeds the pipeline

Threat Intel is also reused by NDR: when a connection's destination matches an IOC, NDR raises a "known C2" finding. Matches combine with a suspicious process in XDR (XDR-C2-001), and SOAR's PB-TI-BLOCK can block the indicator.

Tips

• Always retro-hunt after importing a feed — yesterday's traffic might already contain today's IOC.
• Tag indicators with a threat name so alerts read clearly ("cobalt-strike" beats "unknown").
• Feeds stay on your network — Nexus fetches them, it never phones home about your matches.