-
Notifications
You must be signed in to change notification settings - Fork 51
Introduction
CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.
This framework pulls in various data-observations from any source and creates a series of observations "over time" (eg: reputation). When you query for the data, you'll get back a series of observations chronologically and can help you make decisions much as you would look at an email thread.
CIF helps you to parse, normalize, store, post process, query, share and produce data sets of threat intelligence.
CIF supports ingesting many different sources of data of the same type; for example data sets or “feeds” of malicious domains. Each similar dataset can be marked with different attributes like source and confidence to name a few.
Threat intelligence datasets often have subtle differences between them. CIF normalizes these data sets which gives you a predictable experience when leveraging the threat intelligence in other applications or processes.
CIF has many post processors that derive additional intelligence from a single piece of threat intelligence. A simple example would be that a domain and an IP address can be derived from a URL ingested into CIF.
CIF has a database schema that is highly optimized to store millions of records of threat intelligence. CIF v2 uses ElasticSearch as it's datastore.
CIF can be queried via a web browser, native client or directly using the API. CIF has a database schema that is highly optimized to perform queries against a database of millions of records.
CIF supports users, groups and api keys. Each threat intelligence record can be tagged to be shared with specific group of users. This allows the sharing of threat intelligence among federations.
CIF supports creating new data sets from the stored threat intelligence. These data sets can be created by type and confidence. CIF also supports whitelisting during the feed generation process.