Threat Intelligence Fundamentals
Threat intelligence transforms raw data into actionable security insights. Feeds provide indicators of compromise (IOCs), tactics techniques and procedures (TTPs), and adversary profiles.
STIX and TAXII Standards
STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Indicators) are the industry standards for threat intelligence exchange.
from stix2 import Indicator, Bundle, TAXIICollectionSource
from taxii2client import Collection
Create a STIX indicator
indicator = Indicator(
name="Malicious IP",
indicator_types=["malicious-activity"],
pattern="[ipv4-addr:value = '203.0.113.5']",
pattern_type="stix",
valid_from="2026-01-01T00:00:00Z"
)
Bundle indicators
bundle = Bundle(indicator)
print(bundle.serialize(pretty=True))
Consume from TAXII feed
collection = Collection("https://taxii.example.com/collections/123")
source = TAXIICollectionSource(collection)
for indicator in source.query():
print(indicator["name"], indicator["pattern"])
Feed Integration with SIEM
Ingest feeds into your SIEM for correlation:
import requests
from elasticsearch import Elasticsearch
class ThreatIntelIngestor:
def init(self, es_host="localhost:9200"):
self.es = Elasticsearch([es_host])
def fetch_and_index(self, feed_url, feed_name):
resp = requests.get(feed_url, headers={"Accept": "application/stix+json"})
indicators = resp.json().get("objects", [])
for ioc in indicators:
doc = {
"feed": feed_name,
"type": ioc.get("type"),
"pattern": ioc.get("pattern"),
"severity": ioc.get("confidence", 50),
"valid_until": ioc.get("valid_until"),
"ingested_at": "now"
}
self.es.index(index="threat-intel", body=doc)
print(f"Ingested {len(indicators)} indicators from {feed_name}")
IOC Scoring
Not all indicators are equally reliable. Implement scoring:
def score_indicator(ioc, context):
score = 50 # Base score
Age decay: newer indicators are more valuable
age_days = (datetime.utcnow() - ioc.valid_from).days
score -= min(age_days * 2, 30)
Multiple feeds increase confidence
feed_count = len(ioc.get("sources", []))
score += feed_count * 10
Context matching increases relevance
if context.get("industry") in ioc.get("target_industries", []):
score += 20
return min(max(score, 0), 100)
Feed Quality Metrics
Evaluate feeds on these criteria:
| Metric | Description | Target | |--------|-------------|--------| | False positive rate | Incorrect alerts | < 5% | | Time to detection | Speed of indicator publication | < 1 hour | | Coverage | Breadth of TTPs covered | > 80% | | Freshness | Update frequency | Continuous |
Automated Blocking
High-confidence indicators can trigger automated blocking:
threat-intel-automation.yaml
automation_rules:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- name: block_malicious_ips
trigger: new_indicator
conditions:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- indicator_type: ipv4-addr
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- score: ">= 80"
actions:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- update_firewall:
action: deny
source: indicator.value
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- alert:
severity: high
channel: security-operations
Conclusion
Threat intelligence feeds provide critical context for security operations. Standardize on STIX/TAXII, integrate with your SIEM, score indicators for relevance, and automate high-confidence blocking. Quality over quantity: five well-curated feeds beat fifty noisy ones.
Enjoy this article? Share your thoughts, questions, or experiences in the comments below — your insights help other readers too.
Join the discussion ↓