Data model
Each ELLIO indicator is a UDM IP_ADDRESS entity in the Entity Context Graph. Rules and
dashboards read it through the graph. prefix (for example
graph.metadata.threat.risk_score). Every ELLIO entity carries
metadata.product_name = "ELLIO: Threat Intelligence" - that, plus the verdict marker below,
is how you select ELLIO context in a rule.
Verdict
Section titled “Verdict”| Field | Value |
|---|---|
metadata.threat.category_details |
classification:malicious / promiscuous / unknown / benign |
metadata.threat.category |
NETWORK_MALICIOUS (malicious) / NETWORK_RECON (promiscuous); unset for unknown and benign |
metadata.threat.severity |
HIGH / MEDIUM / LOW / INFORMATIONAL - one to one with classification (also mirrored as severity_details) |
metadata.threat.confidence |
HIGH_CONFIDENCE for classified verdicts (malicious / promiscuous / benign), LOW_CONFIDENCE for unknown |
The verdict lives in these fields, never in the presence or absence of the threat block.
benign indicators carry the marker too - so you can allowlist on them - but no risk score.
ELLIO verdicts come from direct, non-spoofable observation, which is why a classified verdict
is high-confidence; unknown means observed but not yet classified.
Risk score
Section titled “Risk score”metadata.threat.risk_score (0 to 100) - a continuous scale for precise thresholds
(for example risk_score >= 80), unlike the fixed severity categories. You control it per
feed in ELLIO Platform under Connectors → Google SecOps → Risk scoring:
- Fresh and at-cutoff scores per classification. A score starts at the Fresh value when ELLIO observes the indicator and decays to the At cutoff value by the end of the keep-active window - so a high score means severe and recently active.
- Decay scale: logarithmic (drops sharply early, then tails off), linear, or no decay.
- Benign is never scored - the field is omitted by design, so a
risk_score >= Ncondition excludes benign (and any unscored indicator) automatically.
Context labels
Section titled “Context labels”| Context | Where |
|---|---|
| Behavior tags, CVEs, MITRE techniques, kill-chain phase, actor | metadata.threat.category_details with tag:, tag_id:, cve:, mitre:, kill_chain:, actor: prefixes |
| Fingerprints (MuonFP / JA3 / JA3S / JA4), observed ports | metadata.threat.detection_fields (key/value) |
| First / last observed by ELLIO | metadata.threat.first_discovered_time / last_discovered_time |
| Feed attribution | metadata.threat.threat_feed_name (defaults to ELLIO: Threat Intelligence) |
| Link back to ELLIO Platform | metadata.threat.url_back_to_product |
The cve: labels are what the
CVE watchlist rule matches
against.
Network attributes
Section titled “Network attributes”| Field | Value |
|---|---|
entity.ip / entity.artifact.ip |
the indicator |
entity.hostname |
reverse DNS |
entity.ip_geo_artifact.asn / as_owner |
autonomous system |
entity.ip_geo_artifact.location.country_or_region, .city, .region_coordinates |
geolocation of the indicator IP |
Validity
Section titled “Validity”metadata.interval.start_time / end_time bound the window the indicator is valid for -
the detection engine only matches events inside it. Every daily push refreshes the window,
so a staying indicator keeps matching and a dropped one ages out within days, automatically.
The window is a short delivery lease, not ELLIO’s relevance horizon; relevance is the
retention you configure in ELLIO Platform.
Selecting ELLIO context in a rule
Section titled “Selecting ELLIO context in a rule”$ioc.graph.metadata.product_name = "ELLIO: Threat Intelligence"$ioc.graph.metadata.entity_type = "IP_ADDRESS"$ioc.graph.metadata.threat.category_details = "classification:malicious"$ioc.graph.entity.ip = $ipSee Detection rules for the shipped rule set.