Architecture
How the enrichment pipeline works
ThreatPulsar's core is a parallel enrichment pipeline that processes each IOC against 40+ threat intelligence feeds simultaneously, normalizes the results, and delivers structured threat context within seconds — not minutes.
IOCs arrive via REST API, STIX/TAXII feed, or direct SIEM connector. Supported indicator types: IPv4/IPv6, domain, URL, file hash (MD5, SHA-1, SHA-256), email address, and ASN. Bulk submission supports up to 500 indicators per API call.
Each indicator is dispatched to all 40+ feeds concurrently — VirusTotal, Shodan, AbuseIPDB, AlienVault OTX, MalwareBazaar, URLhaus, Emerging Threats, and your organization's private feeds. The query engine handles rate limits and retries transparently.
Feed responses arrive in different formats — JSON, XML, CSV, plain text. ThreatPulsar's normalization layer converts all responses to a unified schema: threat category, confidence score, first/last seen timestamps, related infrastructure, and malware family tags.
Normalized context is matched against behavioral signatures in ThreatPulsar's technique library. IP addresses with known C2 communication patterns are mapped to T1071 (Application Layer Protocol) and T1095 (Non-Application Layer Protocol). File hashes associated with known loaders map to T1059 sub-techniques. Coverage spans ATT&CK Enterprise v14, ICS, and Mobile.
Enriched indicators are returned as structured JSON with full provenance data. SOAR playbooks receive populated field values. SIEM rules can be updated automatically when enrichment reveals new indicators sharing infrastructure with known threat actors.
ThreatPulsar both consumes and produces STIX 2.1 objects. Pull threat intelligence from ISAC feeds via TAXII and export your enriched IOC bundles back to sharing communities. Supported relationship types: indicates, uses, mitigates, attributed-to.
The TAXII server endpoint is available at your tenant subdomain. Authentication uses OAuth 2.0 client credentials. Collections are segmented by indicator type for bandwidth-efficient polling.
When enrichment identifies a file hash associated with a known malware family, ThreatPulsar generates a YARA rule targeting the binary's characteristic byte sequences. Rules include metadata blocks with ATT&CK technique references and feed provenance.
Sigma rules are generated for network-based indicators. The output targets your SIEM's native query language — Splunk SPL, Elastic KQL, or Microsoft Sentinel KQL — and is validated against a common schema before delivery.
ThreatPulsar correlates authentication events across your EDR telemetry to identify lateral movement patterns — Pass-the-Hash, Pass-the-Ticket, and Kerberoasting sequences. When a sequence matches a known TTP pattern, the alert surfaces with the ATT&CK sub-technique and recommended detection rule.
Detection operates on normalized Windows Security Event logs (Event IDs 4624, 4625, 4768, 4769, 4776) and does not require a dedicated agent beyond your existing EDR deployment.
Native integrations for Splunk SOAR (formerly Phantom), Palo Alto XSOAR, Tines, and Microsoft Sentinel Logic Apps. Enrichment results populate playbook input fields using the connector's native field mapping — no custom Python scripts needed.
For SIEM integrations: Splunk CIM-compatible field names, Elastic ECS mapping, and Microsoft Sentinel analytics workspace support. The API also supports generic webhook output for custom SOAR platforms.
When multiple IOCs in a single incident share infrastructure — same ASN, registrar, TLS certificate fingerprint — ThreatPulsar correlates them into a threat actor cluster and checks against known APT group profiles in MITRE ATT&CK Groups.
Actor attribution is probabilistic, not definitive. Confidence scores reflect the strength of the infrastructure overlap evidence. Analysts see the reasoning chain, not just the conclusion.
Enterprise deployments support US East, US West, and EU (Frankfurt) data residency. All enrichment queries from your tenant are isolated — your IOCs are not shared with other tenants or used to improve the shared threat model without explicit opt-in.
SOC 2 Type II audit completed Q4 2024. All data in transit encrypted with TLS 1.3. Data at rest encrypted with AES-256. Key management via AWS KMS with tenant-specific key material.
Send us a sample IOC set from a recent incident. We'll run it through the platform and return enriched results during the demo call.
Request a Demo