Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Data model

Each ELLIO indicator is a UDM IP_ADDRESS entity in the Entity Context Graph. Rules and dashboards read it through the graph. prefix (for example graph.metadata.threat.risk_score). Every ELLIO entity carries metadata.product_name = "ELLIO: Threat Intelligence" - that, plus the verdict marker below, is how you select ELLIO context in a rule.

Field Value
metadata.threat.category_details classification:malicious / promiscuous / unknown / benign
metadata.threat.category NETWORK_MALICIOUS (malicious) / NETWORK_RECON (promiscuous); unset for unknown and benign
metadata.threat.severity HIGH / MEDIUM / LOW / INFORMATIONAL - one to one with classification (also mirrored as severity_details)
metadata.threat.confidence HIGH_CONFIDENCE for classified verdicts (malicious / promiscuous / benign), LOW_CONFIDENCE for unknown

The verdict lives in these fields, never in the presence or absence of the threat block. benign indicators carry the marker too - so you can allowlist on them - but no risk score. ELLIO verdicts come from direct, non-spoofable observation, which is why a classified verdict is high-confidence; unknown means observed but not yet classified.

metadata.threat.risk_score (0 to 100) - a continuous scale for precise thresholds (for example risk_score >= 80), unlike the fixed severity categories. You control it per feed in ELLIO Platform under Connectors → Google SecOps → Risk scoring:

  • Fresh and at-cutoff scores per classification. A score starts at the Fresh value when ELLIO observes the indicator and decays to the At cutoff value by the end of the keep-active window - so a high score means severe and recently active.
  • Decay scale: logarithmic (drops sharply early, then tails off), linear, or no decay.
  • Benign is never scored - the field is omitted by design, so a risk_score >= N condition excludes benign (and any unscored indicator) automatically.
Context Where
Behavior tags, CVEs, MITRE techniques, kill-chain phase, actor metadata.threat.category_details with tag:, tag_id:, cve:, mitre:, kill_chain:, actor: prefixes
Fingerprints (MuonFP / JA3 / JA3S / JA4), observed ports metadata.threat.detection_fields (key/value)
First / last observed by ELLIO metadata.threat.first_discovered_time / last_discovered_time
Feed attribution metadata.threat.threat_feed_name (defaults to ELLIO: Threat Intelligence)
Link back to ELLIO Platform metadata.threat.url_back_to_product

The cve: labels are what the CVE watchlist rule matches against.

Field Value
entity.ip / entity.artifact.ip the indicator
entity.hostname reverse DNS
entity.ip_geo_artifact.asn / as_owner autonomous system
entity.ip_geo_artifact.location.country_or_region, .city, .region_coordinates geolocation of the indicator IP

metadata.interval.start_time / end_time bound the window the indicator is valid for - the detection engine only matches events inside it. Every daily push refreshes the window, so a staying indicator keeps matching and a dropped one ages out within days, automatically. The window is a short delivery lease, not ELLIO’s relevance horizon; relevance is the retention you configure in ELLIO Platform.

$ioc.graph.metadata.product_name = "ELLIO: Threat Intelligence"
$ioc.graph.metadata.entity_type = "IP_ADDRESS"
$ioc.graph.metadata.threat.category_details = "classification:malicious"
$ioc.graph.entity.ip = $ip

See Detection rules for the shipped rule set.