Keypoints
- eSentire introduced a standalone Threat Intelligence product providing vetted IOCs for integration into existing security tool stacks.
- The feed emphasizes high-fidelity IOCs (IP addresses, domains, file hashes) with a target true positive rate (stated goal ≥95%) and reported false positive rate <1%.
- All IOCs are observed by 24/7 SOC Cyber Analysts during SOC investigations and further reviewed by Elite Threat Hunters and the Threat Response Unit (TRU).
- Indicators are delivered in STIX format for interoperability and easier integration with firewalls, email servers, endpoint protection, and other security tools.
- IOCs are refreshed every 24 hours and stale indicators are continuously removed to maintain relevance and reduce noise.
- The service aims to reduce alert fatigue, improve automated blocking of known threats, and enhance threat detection and response efficiency.
MITRE Techniques
- [T1071] Application Layer Protocol – Adversaries commonly use network channels identified by IPs/domains for command-and-control or data exfiltration; the article highlights IOCs such as IP addresses and domains used to detect these behaviors (‘…multiple IOCs (i.e., IP addresses, domain names, file hashes, etc.)…’).
- [T1105] Ingress Tool Transfer – Malicious payload delivery and tool transfer can be tracked via file hashes; the feed’s inclusion of file hashes supports detection of transferred malicious files (‘…file hashes…’).
- [T1204] User Execution – Detection of malicious files (via file hashes) helps identify attacks that rely on user execution of payloads, enabling SOC response to execution-based infection vectors (‘…file hashes…’).
- [T1588] Acquire Infrastructure – Monitoring domains and IPs as high-fidelity IOCs helps identify attacker infrastructure acquisition and usage, allowing defenders to block or disrupt those resources (‘…multiple IOCs (i.e., IP addresses, domain names, file hashes, etc.)…’).
Indicators of Compromise
- [IP addresses] Mentioned as IOC type used to detect network-based threats – no specific IP examples provided in the article.
- [Domain names] Mentioned as IOC type for tracking attacker infrastructure – no specific domain examples provided in the article.
- [File hashes] Mentioned as IOC type for identifying malicious files and transfers – no specific hashes provided in the article.
- [STIX artifacts] Delivery format for IOCs to enable interoperability – context: IOCs are shared in STIX format for integration with security tools.
eSentire’s technical approach focuses on feeding security stacks with vetted, high-fidelity IOCs observed during live SOC investigations and validated by Elite Threat Hunters and the Threat Response Unit. Indicators include IP addresses, domain names, and file hashes, all packaged in STIX to ease ingestion and automated enforcement across firewalls, email gateways, EDR/endpoint platforms, and SIEMs. The feed is refreshed every 24 hours and stale IOCs are removed to maintain relevance and reduce false positives.
Operationally, the pipeline begins with SOC analysts surfacing observed indicators during incident investigations; those indicators are then reviewed and enriched by threat hunters who add contextual metadata (e.g., associated TTPs, threat actor notes, targeted asset types). Delivering indicators with rich context in a structured format enables quicker triage, more accurate automated blocking, and improved correlation in detection rules to lower alert fatigue and increase true positive detection rates.
For integration, use the STIX feed to map incoming IOCs to existing detection controls: ingest domains/IPs into network and proxy blocklists, import file hashes into EDR/antivirus allow/block lists and forensic search indices, and enrich SIEM alerts with threat-context fields to prioritize investigations. Maintain automated daily updates and stale-entry removal logic so enforcement rules act on current, high-fidelity indicators while minimizing operational noise.