Threat Intelligence¶
Status: Planned
Standards: Diamond Model, Intelligence Cycle, STIX/TAXII, NIST SP 800-150
Source: archer/ti/ (not yet created)
The threat intelligence domain ingests, correlates, and produces structured intelligence products. It bridges raw indicator feeds and hunt operations — enriching leads from the TH domain with actor attribution, campaign context, and historical pattern data.
Planned Plays¶
| Play | Description |
|---|---|
ioc_enrichment |
Enrich IPs, domains, and hashes against threat feeds (MISP, OTX, VirusTotal) |
actor_attribution |
Map observed TTPs to known threat actor profiles via ATT&CK |
campaign_tracking |
Correlate indicators across incidents to identify campaign patterns |
intel_product |
Produce structured intelligence reports (STIX bundles, PDF summaries) |