Threat Intelligence
Overview
Section titled “Overview”Fleet provides a complete threat intelligence pipeline: extract indicators of compromise from any source, enrich them with reputation data and risk scores, generate structured intelligence outputs, and convert findings into actionable detection rules. The pipeline runs end-to-end in a single request, or you can use individual capabilities as needed.
Observable Extraction
Section titled “Observable Extraction”Fleet extracts indicators of compromise (IOCs) from URLs, documents, text, files, and threat reports.
Supported Observable Types
Section titled “Supported Observable Types”| Type | Examples |
|---|---|
| IPv4 addresses | 192.168.1.1, 10.0.0.0/24 |
| IPv6 addresses | 2001:0db8::1 |
| Domain names | evil-c2.example.com |
| URLs | https://malware-host.example.com/payload.exe |
| File hashes (MD5) | d41d8cd98f00b204e9800998ecf8427e |
| File hashes (SHA1) | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| File hashes (SHA256) | e3b0c44298fc1c149afbf4c8996fb924... |
| Email addresses | [email protected] |
| Mutexes | Global\MalwareMutex_001 |
| Registry keys | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File paths | C:\Windows\Temp\payload.exe |
Extraction Sources
Section titled “Extraction Sources”- URLs — Fleet fetches the page content (handling JavaScript-rendered single-page applications) and extracts all observables from the rendered text.
- Documents — upload PDF, Office, or text files containing threat intelligence, and Fleet extracts all embedded indicators.
- Text — paste raw text (email bodies, log entries, chat messages, report excerpts) and Fleet identifies all observables.
- Files — upload any file, and Fleet extracts observables from its content and metadata.
Noise Filtering
Section titled “Noise Filtering”Fleet automatically filters extraction results to remove noise:
- Navigation links and UI elements from the source domain are excluded when extracting from URLs.
- Common benign infrastructure (CDN domains, analytics services) is flagged but not removed, allowing you to make the final determination.
Example prompts:
Extract all observables from this URL: https://example.com/threat-reportExtract IOCs from the attached PDF threat report.Parse this email body for indicators of compromise.Enrichment and Risk Scoring
Section titled “Enrichment and Risk Scoring”Fleet enriches extracted observables with context from multiple intelligence sources and assigns risk scores.
Enrichment Process
Section titled “Enrichment Process”For each extracted observable, Fleet performs:
- Reputation lookup — checks the observable against multiple threat intelligence databases and reputation services.
- Domain popularity — for domain observables, checks against the Alexa Top 1M list to distinguish well-known legitimate domains from unknown or suspicious ones.
- Known-good identification — for file hash observables, checks against the National Software Reference Library (NSRL) to identify known legitimate software.
- Web intelligence — searches the internet for recent mentions of the observable in security advisories, threat reports, and research publications.
Risk Scoring
Section titled “Risk Scoring”Each observable receives a risk score based on the enrichment results:
| Score Range | Classification | Meaning |
|---|---|---|
| High | Malicious | Multiple sources confirm malicious activity |
| Medium | Suspicious | Some indicators of risk, requires investigation |
| Low | Likely benign | No negative reputation, possibly legitimate |
| Info | Known good | Confirmed legitimate (NSRL match, Alexa Top 1M) |
Scores include a confidence level indicating how much evidence supports the classification.
Example prompt:
Extract and enrich all observables from this URL. Score each by risk level and filter out navigation noise.STIX 2.1 Output
Section titled “STIX 2.1 Output”Fleet can generate Structured Threat Information Expression (STIX) 2.1 bundles from extracted and enriched observables. STIX bundles are machine-readable and can be imported into:
- SIEM platforms (Splunk, Microsoft Sentinel, QRadar)
- Threat Intelligence Platforms (MISP, OpenCTI, ThreatConnect)
- SOAR platforms for automated response workflows
- Other security tools that support STIX ingestion
STIX bundles include the full enrichment data: reputation results, DNS records, web search findings, and evidence flags for each observable.
Example prompt:
Extract observables from the attached report and generate a STIX 2.1 bundle with full enrichment data.Web Search
Section titled “Web Search”Fleet can search the internet for the latest threat intelligence, security advisories, CVE details, and research publications.
Use Cases
Section titled “Use Cases”- CVE research — look up vulnerability details including CVSS score, affected versions, patch status, and known exploitation in the wild.
- Threat actor research — find the latest advisories and campaign analyses for specific threat groups (APT29, Lazarus Group, FIN7, etc.).
- Malware family research — locate technical write-ups, IOC lists, and detection guidance for specific malware families.
- Technique research — find documentation on specific attack techniques, including detection strategies and defensive recommendations.
Example prompts:
Search for the latest APT29 advisories from CISA and Mandiant.What is the CVSS score and patch status for CVE-2021-36934?Find recent technical analyses of LokiBot stealer variants.Report Finder
Section titled “Report Finder”Fleet can locate, download, and convert security reports into a readable format for analysis and further processing.
Supported Report Types
Section titled “Supported Report Types”- Vendor threat reports (Mandiant, CrowdStrike, Microsoft, Recorded Future)
- Government advisories (CISA, FBI, NSA joint advisories)
- APT campaign analyses
- CVE advisories and technical details
- Malware family analyses
- Industry-specific threat assessments
Process
Section titled “Process”Fleet searches for reports matching your criteria, downloads them, and converts them to markdown format for easy reading. The original files are also saved to the workspace.
Example prompts:
Find and download the latest Mandiant report on APT29 techniques.Download the CISA advisory for CVE-2024-XXXXX.MITRE ATT&CK Mapping
Section titled “MITRE ATT&CK Mapping”All Fleet analysis findings are mapped to the MITRE ATT&CK framework. This provides standardized context for understanding threats:
- Tactics — the adversary’s goals (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact).
- Techniques and sub-techniques — the specific methods used to achieve each goal (e.g., T1059.001 PowerShell, T1055.012 Process Hollowing, T1053.005 Scheduled Task).
ATT&CK mappings appear in:
- Malware analysis reports
- Document analysis results
- Network forensics findings
- Detection rule metadata
- Threat intelligence packages
Example prompt:
Analyze this binary and map all identified capabilities to MITRE ATT&CK techniques.Output Formats
Section titled “Output Formats”Fleet produces threat intelligence outputs in multiple formats to suit different use cases:
| Format | Best For | Description |
|---|---|---|
| Markdown report | Human reading | Observables organized by type with enrichment results and risk scores |
| Text report | Quick triage | Flat list sorted by risk score for rapid prioritization |
| STIX 2.1 bundle (JSON) | Machine consumption | Full structured intelligence with all enrichment data |
| YARA rules | File scanning | Detection rules generated directly from enriched observables |
Example prompt:
Extract observables from this URL in full mode. Give me a markdown report and also generate a STIX bundle.End-to-End Workflow Example
Section titled “End-to-End Workflow Example”A typical threat intelligence workflow in Fleet:
- You: “Process this APT29 threat report and build a detection package.”
- Fleet: extracts all observables from the report (IPs, domains, URLs, hashes, file paths, registry keys).
- Fleet: enriches each observable with reputation data, risk scores, and web intelligence.
- Fleet: converts enriched observables to a STIX 2.1 bundle.
- Fleet: maps all TTPs to MITRE ATT&CK and creates a technique heat map.
- Fleet: searches for supplementary advisories to ensure coverage of the latest indicators.
- Fleet: generates detection rules: Sigma for log-based detection, YARA for file scanning, osquery for endpoint state.
- Fleet: produces an executive threat briefing with IOC table, ATT&CK mapping, detection rules, and recommended defensive actions.
- Fleet: saves all outputs to the workspace for download and distribution.
Limitations
Section titled “Limitations”- Enrichment quality depends on the availability and coverage of external intelligence sources. Some newly registered domains or recently created infrastructure may not yet appear in reputation databases.
- Web search results reflect publicly available information. Classified or restricted intelligence sources are not accessible.
- STIX 2.1 bundle generation follows the OASIS standard. Custom STIX extensions are not supported.