Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

ELLIO Threat Intelligence

Threat Intelligence (CTI) is ELLIO’s view of the IP layer of the internet. Every IP is enriched with classification, kill-chain mapping, fingerprints, observation history, and context from the ELLIO Deception Network.

Surface What it gives you When to reach for it
Threat Intelligence dashboard Interactively search the full IP catalogue, browse tags, drill into IP detail, export timelines Investigations, ad-hoc hunting, building queries
CTI API Programmatic single, extended, and bulk IP lookups Enrichment in pipelines, SIEM queries, automation
Microsoft Sentinel TAXII Millions of STIX 2.1 indicators streamed via TAXII 2.1 Native ingestion into Microsoft Sentinel
MISP Feed Millions of non-spoofable IP indicators delivered as a native MISP feed - daily sightings, per-IP timelines, and per-IP timelines with FoxIO JA4+ Native ingestion into MISP
Bulk Data feeds Daily/historical snapshots in Splunk LUT, Google SecOps UDM, and JSONL Mass enrichment, lookups, batch hunting

For reference material - search syntax, IP detail page, the full tag catalogue - see the sidebar.

Classification - every IP carries one of malicious, promiscuous, benign, or unknown. Drives most filtering decisions.

Spoofable vs non-spoofable - non-spoofable means ELLIO confirmed a TCP handshake, so the source IP attribution is trustworthy. Spoofable means it isn’t. Almost every production query should require spoofable: false.

Tags - short labels like Shodan, Apache Path Traversal, or Fast Scanner (i.e. Masscan / ZMap) that group IPs by what they were doing when ELLIO observed them. The full catalogue lives at Tags.

MuonFP / JA3 / JA4 - TCP and TLS fingerprints captured during the interaction with ELLIO sensors. Filter by these to find tooling regardless of the source IP.

MITRE ATT&CK - every IP is mapped to one or more tactics, techniques, and sub-techniques. Useful for aligning hunts with your existing detection catalogue.

CVEs - vulnerabilities the IP was observed exploiting (or attempting to).

  • On-demand lookup. Use the CTI API - single, extended, or bulk IP lookups. Pairs well with SOAR, custom dashboards, and pipeline enrichment.
  • Continuous ingest. Use the TAXII connector, MISP feed, or Bulk Data downloads - your SIEM, MISP, or analytics platform pulls fresh indicators on a schedule.