Threat Intelligence Feature Overview


Threat Stack’s Threat Intelligence feature correlates the outgoing and incoming IPs out of the host with the Threat Stack curated IP list from various sources.

IP Source Lists

We have both open source and commercial sources

  1. Partial open source list
    • (Zeus IP Blocklist)
  2. Partial commercial source list

Configuration Steps

The default threat intelligence rule that comes right off the box captures outgoing traffic (type=“connect”) and generates a severity 1 alert. The configuration involves three simple steps

  • Enable the threat intelligence rule under rule sets (please contact support if you do not see the rule set)
  • Tweak the rule for the right severities and filters (ex - you want to add capture incoming traffic as well and change severities on that)
  • Associate the rule set with servers you want to see alerts on

Customers can also create new custom rules by following the below steps.

Create a New Threat Intelligence Rule

Customers can create custom threat intelligence rules (click add new threat intelligence rule) based on the below filter keys.

  • network event types (type = “connect” or type = “accept”)
  • threatintel_source: The fields here are
    • tscommercial
  • threatintel_reason
    • scanning host
    • spamming host
    • malicious host
  • threatintel_type
    • IP

A custom filter might looks like

type=“connect” and threatintel_reason=“malicious host”

Please select aggregations for the alert title to work.

An example is below.

Result Types

Similar to other features, threat intelligence features is manifested at three places - alerts, events and widgets.


We generate an event of type threatintel (event_type="threatintel") when there is a IP match with any of the bad IP lists.  The event has information on whether the connections is a inbound or outbound, the source of the threat intelligence and the reason.  The user can search for any of the corresponding fields as the below examples illustrate.



Alerts will be generated if theres a match and you would see them on the alerts screen. The text filtering for the alerts would the “threat intelligence”.


Contributing Events

After you click on the alert, you would see the contributing event, you would see the details related to the match - the source, the reason and the type.



The threat intelligence activity widget, found on the Dashboard, will show the matched IPs for both incoming and outgoing connections, default to incoming connections.




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.