Strixl LabsStrixl.Labs
Get started
Docs/Threat intel

Threat intel

Strixl Labs checks every flagged destination against a handful of threat-intel feeds and merges the results into the pair record. You don't manage API keys, you don't pay for lookups separately, and you don't have to open five tabs to get the context.

Feeds we query

For every flagged pair, the destination IP is checked against:

  • Emerging Threats. The open intel feed from Proofpoint, updated continuously. Fast, free, and reasonably authoritative for established C2 infrastructure.
  • Feodo Tracker. Specifically catches the Emotet / TrickBot / Dridex C2 family, which represents a disproportionate share of real-world commodity malware.
  • ThreatFox. The abuse.ch community IoC database. Broad coverage of current campaigns.
  • VirusTotal. Aggregated vendor results on the destination IP. Multiple vendors flagging the same IP is a strong signal; a single vendor hitting is usually not.
  • AbuseIPDB. Community-reported abuse reports with a confidence score.
  • IPinfo.ASN, organization, and country for the destination. Useful for the “is this actually Microsoft or is it a DigitalOcean droplet pretending to be” question.
  • RDAP. Registration data for the network the destination belongs to. Registrant age and ownership transitions show up here.

How results are shown

Every flagged pair in the investigation panel has an Intelsection. Each feed shows as either green (no hit), red (hit), or gray (unknown or the feed didn't respond). You can expand a feed to see the raw response, including vendor-by-vendor breakdown for VirusTotal and the abuse-report history from AbuseIPDB.

How intel affects detection

Intel results modify severity, not the behavioral score. The reasoning: an IP can behave exactly like a beacon and not be flagged by any feed (new infrastructure), and conversely a pair with clean behavior can resolve to a bad IP (shared hosting). Keeping them separate means a legitimate update server doesn't quietly score higher because one of the feeds misbehaved, and a truly novel C2 destination still scores honestly on behavior alone.

Rate limits and caching

Every feed result is cached. If you upload two captures with the same destination a day apart, we don't hit the feeds twice. The cache window is tuned per feed based on how often each source updates. You don't hit API rate limits from normal usage.

Recon plans do not get threat-intel enrichment. Hunter and up get unlimited lookups. See pricing for the per-tier breakdown.

Using your own commercial threat intel (Recorded Future, Mandiant, internal feeds) is a Partner-tier feature. Contact info@strixllabs.com to scope it.

← Previous

Fingerprinting

Next →

Severity modifiers