Threat Intelligence

Sentinel Nerd enriches every external IP and domain in your events with threat intelligence from multiple feeds, giving you instant context on potential threats.

Overview

Threat intelligence enrichment runs automatically on all events containing external IP addresses or domain names. The enrichment data is attached to the event and available in detection rules, alerts, and the dashboard.

GeoIP Enrichment

Every external IP is enriched with geographic and network data using MaxMind GeoIP2:

  • Country and city — Geographic location of the IP
  • ASN — Autonomous System Number and organization name
  • ISP — Internet Service Provider identification
  • Proxy/VPN detection — Whether the IP is a known proxy, VPN, or Tor exit node Pro
GeoIP Enrichment Example 
{
  "geo": {
    "ip": "203.0.113.42",
    "country": "CN",
    "country_name": "China",
    "city": "Beijing",
    "latitude": 39.9042,
    "longitude": 116.4074,
    "asn": 4808,
    "as_org": "China Unicom",
    "isp": "China Unicom Beijing",
    "is_proxy": false,
    "is_vpn": false,
    "is_tor": false
  }
}

Note

GeoIP data is included on all plans and is updated weekly. The GeoIP database is cached locally for zero-latency lookups.

AbuseIPDB Integration

IPs are checked against AbuseIPDB's crowd-sourced threat database: Pro

  • Abuse confidence score — 0-100 score based on community reports
  • Total reports — Number of abuse reports filed
  • Categories — Types of abuse reported (SSH brute force, DDoS, spam, etc.)
  • Last reported — When the IP was last reported as abusive
AbuseIPDB Enrichment 
{
  "abuse_ipdb": {
    "score": 87,
    "total_reports": 142,
    "last_reported": "2025-01-14T22:15:00Z",
    "categories": ["SSH", "Brute-Force", "Bad Web Bot"],
    "is_whitelisted": false,
    "country_code": "CN"
  }
}

AbuseIPDB Configuration

To enable AbuseIPDB, add your API key in Instance Settings → Integrations → Threat Intelligence.

AbuseIPDB Settings 

API Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Check Threshold: Events with external IPs only
    Cache TTL: 24 hours
    Max Requests/Day: 1000 (free tier) or 5000 (premium)

VirusTotal Integration

Domains, URLs, and file hashes are checked against VirusTotal: Pro

  • Detection ratio — How many AV engines flag the indicator as malicious
  • Categories — Classification by security vendors
  • First/last seen — When the indicator was first and last observed
  • Related indicators — Connected IPs, domains, and samples
VirusTotal Enrichment 
{
  "virustotal": {
    "indicator": "malware-c2.example.com",
    "type": "domain",
    "detections": 34,
    "total_engines": 87,
    "detection_ratio": 0.39,
    "categories": {
      "Fortinet": "Malware",
      "Sophos": "Command and Control"
    },
    "first_seen": "2024-12-01T00:00:00Z",
    "last_seen": "2025-01-15T00:00:00Z"
  }
}

Custom Threat Feeds

Import custom IP/domain blocklists from URLs or file uploads: Enterprise

  • STIX/TAXII feed support
  • CSV and plain-text blocklist import
  • Automatic refresh on configurable intervals
  • Custom severity mapping for matched indicators

Using Threat Intel in Rules

Reference enrichment data in your detection rules:

Threat Intel Rule 

name: ti.high_risk_ip
    description: Connection from IP with high AbuseIPDB score
    severity: high
    conditions:
      - field: enrichment.abuse_ipdb.score
        gte: 80
      - field: event.direction
        equals: inbound
    actions:
      - alert:
          channels: [slack]
      - active_response:
          action: block_ip
          duration: 24h

Performance

Threat intelligence lookups use an in-memory cache with configurable TTL. Cached lookups add less than 1ms to event processing time.