Skip to main content

Threat Intelligence

CHAD enriches alerts with threat intelligence (TI) from multiple sources. This helps analysts quickly assess whether IOCs (Indicators of Compromise) are known threats.

Supported Sources

CHAD integrates with 8 threat intelligence providers:
SourceIOC TypesFree Tier
VirusTotalHashes, domains, IPs, URLsLimited
AbuseIPDBIP addressesYes
MISPAll IOC typesSelf-hosted
GreyNoiseIP addressesLimited
ThreatFoxHashes, IPs, domainsYes
abuse.chHashes, URLsYes
AlienVault OTXAll IOC typesYes
PhishTankURLsYes

How Enrichment Works

When an alert fires:
  1. IOC Extraction - CHAD extracts IPs, domains, hashes, URLs from the log
  2. TI Lookup - Each IOC is checked against enabled sources
  3. Result Aggregation - Results combined into overall risk score
  4. Alert Enrichment - TI data attached to the alert
This happens automatically for all alerts on enabled index patterns.

Configuring TI Sources

Global Settings

  1. Navigate to Settings > Threat Intelligence
  2. Enable sources you want to use
  3. Enter API keys where required
  4. Save configuration

Per-Source Settings

VirusTotal

  1. Get an API key
  2. Enter in CHAD settings
  3. Enable hash, domain, IP, and/or URL lookups
Free tier: 4 requests/minute, 500/day. Consider premium for production.

AbuseIPDB

  1. Create an account
  2. Get API key from account settings
  3. Enter in CHAD
Free tier: 1,000 lookups/day.

MISP

  1. Self-host MISP or use a provider
  2. Generate API key in MISP
  3. Enter MISP URL and key in CHAD

GreyNoise

  1. Create account
  2. Get API key
  3. Enter in CHAD
Community tier: Limited lookups/day.

ThreatFox (abuse.ch)

  1. Get API key
  2. Enter in CHAD
Free with rate limits.

AlienVault OTX

  1. Create account
  2. Get API key from settings
  3. Enter in CHAD
Free tier available.

PhishTank

  1. Register
  2. Get API key
  3. Enter in CHAD
Free with attribution.

Per-Index Configuration

Enable TI for specific index patterns:
  1. Open the index pattern
  2. Click Threat Intelligence
  3. Select which sources to use
  4. Map fields for IOC extraction

IOC Field Mapping

Tell CHAD where to find IOCs in your logs:
IOC TypeField Examples
IP Addresssource.ip, destination.ip, client.ip
Domaindns.question.name, url.domain
URLurl.original, url.full
Hash (MD5)file.hash.md5
Hash (SHA1)file.hash.sha1
Hash (SHA256)file.hash.sha256

Understanding Results

Risk Levels

LevelMeaning
UnknownNo data from any source
CleanExplicitly marked safe
SuspiciousSome indicators of risk
MaliciousKnown bad IOC

Aggregated Score

CHAD combines results from multiple sources:
  • Multiple “malicious” ratings → High confidence
  • Mixed results → Requires analyst judgment
  • All “clean” → Likely safe (but verify)

Per-Source Details

Each source provides additional context:
  • Categories - Malware, phishing, C2, etc.
  • Tags - Specific threat names
  • First/Last seen - Timeline of activity
  • Reports - Number of reports or detections

Viewing Enrichment

In the alert detail view:
  1. Open an alert
  2. Scroll to Threat Intelligence
  3. See overall risk and per-IOC details
  4. Click IOCs for source-specific information

Rate Limiting

TI sources have rate limits. CHAD handles this by:
  • Caching results (configurable TTL)
  • Queuing lookups during high volume
  • Falling back gracefully when limits hit

Cache Settings

Configure in Settings > Threat Intelligence:
SettingDefaultDescription
Cache TTL24 hoursHow long to cache results
Negative Cache1 hourCache “not found” results
Longer cache = fewer API calls, but potentially stale data.

Private IOC Lists

Beyond public TI, you can import private IOC lists:
  1. Go to Settings > Threat Intelligence > Custom Lists
  2. Upload CSV with IOCs
  3. Assign categories and risk levels
  4. These are checked alongside public sources
CSV format: 
type,value,category,risk
ip,192.168.1.100,internal,clean
domain,evil.com,malware,malicious
hash,abc123...,ransomware,malicious

Best Practices

abuse.ch, PhishTank, and AbuseIPDB free tiers are good starting points.
More sources = better coverage but higher API costs.
Balance freshness vs API usage with cache TTL.
More IOC extraction = better enrichment coverage.
“Unknown” doesn’t mean safe—it means no data available.

Troubleshooting

No enrichment appearing

  1. Check TI sources are enabled
  2. Verify API keys are valid
  3. Check field mappings for IOC extraction
  4. Verify index pattern has TI enabled

API errors

  1. Check API key validity
  2. Review rate limit status
  3. Verify network connectivity
  4. Check source-specific error messages

Stale data

  1. Reduce cache TTL
  2. Clear cache manually if needed
  3. Check source API for updates

Next Steps

Alert Investigation

Use TI data during investigation

Index Patterns

Configure TI per log source