Threat Intelligence
The Threat Intelligence page provides a centralized view of Indicators of Compromise (IOCs) tracked by AuroraSOC, including enrichment from external feeds, cross-site sharing, and vector-similarity search for related threats.
IOC Management
IOC Types Supported
| Type | Examples | Auto-Extraction |
|---|---|---|
| IP Address | 192.168.1.100, 10.0.0.0/24 | ✅ From alerts and logs |
| Domain | evil.example.com | ✅ Via DNS analysis |
| URL | https://malware.site/payload | ✅ From web proxy logs |
| File Hash | MD5, SHA1, SHA256 | ✅ From EDR and forensics |
phisher@evil.com | ✅ From email gateway | |
| CVE | CVE-2024-12345 | ✅ From vulnerability scanner |
IOC Table
| Column | Description |
|---|---|
| Type | IOC category (ip, domain, hash, etc.) |
| Value | The actual indicator |
| Source | Where it was discovered |
| Confidence | Confidence score (0.0–1.0) |
| First Seen | When first detected |
| Last Seen | Most recent observation |
| Linked Alerts | Associated alert count |
| Status | Active / Expired / False Positive |
IOC Enrichment Pipeline
Why Two-Tier Storage?
AuroraSOC stores IOCs in both PostgreSQL (structured) and Qdrant (vector):
- PostgreSQL — Exact-match lookups, deduplication by type+value unique constraint, SQL queries
- Qdrant — Semantic similarity search. When analyzing a new threat, find IOCs with similar context even if values differ. Uses
all-MiniLM-L6-v2embeddings. - Redis Cache — Hot-path lookup results cached for 1 hour to avoid redundant external API calls
Traditional IOC matching is exact: "is this IP in our blocklist?" Qdrant enables semantic queries: "find IOCs similar to this phishing campaign" — matching by contextual description, not just value.
Cross-Site IOC Sharing
For organizations with multiple AuroraSOC deployments:
IOC sharing uses NATS JetStream for reliable delivery:
- Messages are persisted to disk
- Delivery is guaranteed (at-least-once)
- Consumers track their position for replay capability
Threat Intel Tools
LookupIOC
Searches local database and external threat feeds for an IOC:
Input: {"ioc_type": "ip", "ioc_value": "203.0.113.50"}
Output: {
"found": true,
"sources": ["virustotal", "abuseipdb"],
"risk_score": 87,
"categories": ["command-and-control", "malware-distribution"],
"first_seen": "2024-01-15",
"related_campaigns": ["APT29-Cozy-Bear"]
}
EnrichIOC
Adds context to an IOC by embedding it in the vector database:
- Generates text embedding from IOC description and context
- Stores in Qdrant
aurora_threat_intelcollection - Links to related IOCs found by similarity search
ShareIOC
Publishes an IOC to NATS JetStream for cross-site dissemination:
- Standard STIX/TAXII format
- Includes confidence score and source attribution
- Automatic deduplication at receiving site
IOC Deduplication
IOCs are deduplicated by a unique constraint on (type, value):
- If a duplicate IOC arrives, the existing record's
last_seenandconfidenceare updated - Source attribution is appended (not replaced)
- Linked alerts are merged
This ensures the IOC database stays clean while preserving full provenance history.