Intelligence Browser

6 min

the intelligence browser is the primary research surface of the cti module it lets analysts inspect standard threat intelligence objects directly in flare, including iocs such as malicious ips, urls, and file hashes, along with threat actor profiles, campaigns, intrusion sets, and ttps instead of stitching together separate tools, an analyst works from a single destination across multiple intelligence providers when they encounter an indicator, they can immediately understand who is behind it, whether the actor is credible, what campaign it is connected to, which ttps are in play, and what other indicators to look for intelligence is sourced from two providers simultaneously flare's catalog built from flare's collection of dark web forums and telegram channels external feeds a global cti provider with extensive coverage across adversary groups, malware families, and active campaigns a single search returns results from both sources in a unified view key features multi provider entity exploration browse threat actors, campaigns, intrusion sets, malware families, and iocs from both flare's intelligence catalogue and external feeds in a single unified view you do not need to run separate queries per provider actor profiling when you open an actor profile, you get a credibility assessment behavioral patterns and known activity ttps mapped to mitre att\&ck entity relationships showing how this actor connects to campaigns, infrastructure, and known iocs credibility assessment is important because not all dark web activity is genuine the intelligence browser helps you distinguish signal from noise before you act on it ioc threat context indicators in the intelligence browser are not standalone data points each ioc is linked to the actor, campaign, or malware family that produced it you can see whether it is currently active, what campaign it belongs to, and who is operating it forum and channel intelligence the intelligence browser includes deep analysis of dark web forum thread activity this includes thread context, entity relationships, and links to emerging threats observed in those communities it connects observed activity to known actors and indicators rather than returning surface level keyword matches how to use the intelligence browser click through the following product tour to learn how to use the intelligence browser search the catalogue enter an ioc (domain, ip, url, file hash), a threat actor name, a campaign name, or a ttp the search runs against both flare and partner intelligence simultaneously drill into an entity from your search results, open the entity profile that is most relevant to see detailed information for a threat actor, for example, this shows credibility, behavioral history, and ttps mapped to mitre att\&ck for a campaign, it shows the associated actors, malware, and timeline for a malware family, you can see its metadata, its place on the cyber kill chain, its techniques mapped to mitre att\&ck, and a written analysis of how it operates explore relationships each entity is connected to related entities for a threat actor, for example, you can navigate to the campaigns they have run, the infrastructure they use, the iocs they have generated, and the dark web forums where they operate for a malware family, you'll see the campaigns that deliver it, the infrastructure it relies on, the attack patterns it uses, and the indicators that detect it this gives you the full picture of a threat from a single starting point continue investigation in threat flow once you have completed your research, use threat flow to package your findings into a structured intelligence report threat flow uses the same intelligence catalog to generate reports, therefore, entities you research in the intelligence browser can become the subject of a threat flow report intelligence objects the intelligence browser contains the following entity types each has its own detail view with sources, metadata, and relationships you can filter by one entity type or stack multiple filters results aggregate in a single query across all sources entity type description actor individual identities such as telegram users, forum members, and marketplace sellers, surfaced with post history, sources, and linked entities attack pattern techniques mapped to the cyber kill chain and mitre att\&ck tactics, with provider metadata and full descriptions of how adversaries operate campaign coordinated, time bounded threat activity that ties actors, malware, and ttps together under a single named operation chat channels messaging channels and groups tracked with their posts, participants, and the linked actors and indicators surfaced inside forum thread dark web forum posts with full thread context, including author, timestamps, and the linked actors and indicators discussed inside indicator atomic iocs such as domains, urls, ips, and file hashes, each tied back to the actor, malware, or campaign that produced them infrastructure the systems adversaries rely on, including command and control servers, hosting, asns, and supporting assets behind active operations malware named malware families with their capabilities, samples, and the campaigns and actors known to operate them threat actor group named adversary groups such as apts, e crime gangs, and hacktivist collectives, with attributed campaigns, ttps, and tracked aliases vulnerability cves with exploitability context, including which actors are weaponizing them and which malware families leverage them in the wild