Threat Intel
Purpose
Enriches IOCs, tracks threat actors and APT campaigns, prioritises CVEs via CVSS/EPSS, manages IOC lifecycle, and shares IOCs across sites via NATS JetStream cross-site stream.
MCP Domains
| Domain | Description |
|---|---|
threat_intel | IOC enrichment, feed reconciliation |
siem | Log context for enrichment |
osint | Open-source intelligence gathering |
vuln_intel | CVE/CVSS/EPSS databases |
document | Report generation |
Tools
| Tool | Description |
|---|---|
lookup | IOC lookup across feeds |
enrich | Multi-source IOC enrichment |
share | Cross-site IOC distribution |
ti_misp.* | MISP threat intel platform tools |
osint.* | OSINT data gathering tools |
hash_lookup | File hash intelligence |
nvd | National Vulnerability Database queries |
cve_search | CVE search by product/version |
epss_score | EPSS exploit probability lookup |
External enrichment tools
The threat_intel domain registers five external lookup tools alongside the
three local-store tools (lookup, enrich, share), so get_domain_tools()
returns eight tools in total. Each is a thin, timeout-bounded HTTP client; when
its API key is absent the tool returns a structured "not configured" result
rather than failing the agent.
| Tool | Source | Looks up |
|---|---|---|
virustotal_lookup | VirusTotal v3 | file hash, URL, domain, or IP reputation |
shodan_host_lookup | Shodan | internet-exposed ports and services for an IP |
mitre_attack_lookup | MITRE ATT&CK | technique detail by ATT&CK ID |
abuseipdb_check | AbuseIPDB | IP abuse confidence score and report history |
otx_indicator_lookup | AlienVault OTX | pulses and related indicators |
Keys are read from a dedicated THREAT_INTEL_* namespace first
(THREAT_INTEL_VT_API_KEY, THREAT_INTEL_SHODAN_API_KEY,
THREAT_INTEL_ABUSEIPDB_API_KEY, THREAT_INTEL_OTX_API_KEY), falling back to
the existing MALWARE_INTEL_* / OSINT_* variables so prior config keeps
working. The MITRE lookup needs no key.
Input schema
{
"iocs": [{"type": "string", "value": "string"}],
"enrichment_sources": ["string"],
"cve_ids": ["string"],
"share_across_sites": "boolean"
}
Output schema
{
"enriched_iocs": [
{
"type": "string",
"value": "string",
"reputation": "string",
"first_seen": "ISO8601",
"last_seen": "ISO8601",
"confidence": "float",
"tags": ["string"]
}
],
"threat_actor_profile": {
"name": "string",
"aliases": ["string"],
"motivation": "string",
"ttps": ["string"]
},
"campaign_attribution": "string",
"cve_assessments": [
{
"cve_id": "string",
"cvss_base": "float",
"cvss_vector": "string",
"epss_score": "float",
"exploit_in_wild": "boolean",
"patch_available": "boolean",
"composite_risk_score": "float",
"remediation_priority": "string",
"regulatory_deadlines": ["string"]
}
],
"recommended_blocking_actions": ["string"]
}
Memory config
| Parameter | Value |
|---|---|
sliding_window | 40 |
enable_episodic | true |
enable_threat_intel | true |
auto_persist_interval | 10 |
Allow-list
threat_intel, siem, osint, vuln_intel, document