ELLIO Threat Intelligence
Threat Intelligence (CTI) is ELLIO's research-grade view of the IP layer of the internet. Every IP is enriched with classification, kill-chain mapping, fingerprints, observation history, and rich context from the ELLIO Deception Network.
Where to access it
| Surface | What it gives you | When to reach for it |
|---|---|---|
| Threat Intelligence dashboard | Interactively search the full IP catalogue, browse tags, drill into IP detail, export timelines | Investigations, ad-hoc hunting, building queries |
| CTI API | Programmatic single, extended, and bulk IP lookups | Enrichment in pipelines, SIEM queries, automation |
| Microsoft Sentinel TAXII | Millions of STIX 2.1 indicators streamed via TAXII 2.1 | Native ingestion into Microsoft Sentinel |
| MISP Feed | Millions of non-spoofable IP indicators delivered as a native MISP feed - daily sightings, per-IP timelines, and per-IP timelines with FoxIO JA4+ | Native ingestion into MISP |
| Bulk Data feeds | Daily/historical snapshots in Splunk LUT, Google SecOps UDM, and JSONL | Mass enrichment, lookups, batch hunting |
For reference material - search syntax, IP detail page, the full tag catalogue - see the sidebar.
Concepts you'll see throughout the docs
Classification - every IP carries one of malicious, promiscuous,
benign, or unknown. Drives most filtering decisions.
Spoofable vs non-spoofable - non-spoofable means ELLIO confirmed a TCP
handshake, so the source IP attribution is trustworthy. Spoofable means it isn't.
Almost every production query should require spoofable: false.
Tags - short labels like Shodan, Apache Path Traversal, or
Fast Scanner (i.e. Masscan / ZMap) that group IPs by what they were doing
when ELLIO observed them. The full catalogue lives at Tags.
MuonFP / JA3 / JA4 - TCP and TLS fingerprints captured during the interaction with ELLIO sensors. Filter by these to find tooling regardless of the source IP.
MITRE ATT&CK - every IP is mapped to one or more tactics, techniques, and sub-techniques. Useful for aligning hunts with your existing detection catalogue.
CVEs - vulnerabilities the IP was observed exploiting (or attempting to).
Two ways to use the data
- On-demand lookup. Use the CTI API - single, extended, or bulk IP lookups. Pairs well with SOAR, custom dashboards, and pipeline enrichment.
- Continuous ingest. Use the TAXII connector, MISP feed, or Bulk Data downloads - your SIEM, MISP, or analytics platform pulls fresh indicators on a schedule.