TIP Overview

The TIP module aggregates and normalizes threat feeds, enriches indicators of compromise (IOCs), and adds priorities in order to accelerate triage, streamline incident coordination, and speed response times.

The TIP module can be used together with other modules, as follows:

The basis for TIP operation is the information that is gathered from sources, which can come in any of the following forms:

• Intelligence feeds
• Documents
• Emails
• APIs

The following IOC types are collected:

• IP addresses
• URLs
• Domains
• File hashes
• Email addresses

TIP enables you to aggregate the myriad of threat information from these sources, so you can investigate prioritized threats in real-time and monitor suspicious activity.

The TIP module performs the following steps on IOCs that it receives:

• Cleanup - Removes IOCs that cannot be blocked because they belong to a legitimate service such as: Customer assets, legitimate website, DNS servers, legitimate business application, or operating system files.
• Severity calculation - Calculates a risk severity factor for each IOC, thus enhancing business efficiency by pinpointing the IOCs that are linked to a riskier threat. IOC risk severity is determined by its threat score and its source confidence.
• Email addresses are given the severity of the source from where the address was derived. If the source has no severity, then the address severity is defined as the confidence level of the feed where the address was found (high confidence is high severity, etc.).
• Source confidence - Ranks confidence as low, medium, or high, represented by one, two, or three shields, respectively. Confidence represents how reliable the source is, and is it known to provide up-to-date, valid intelligence of real, existing threats.
• Threat score - Threat score is automatically calculated from a set of IOC parameters.

The following table shows IOC parameters, which vary according to IOC types.