Actionable Threat Intelligence. Proactive Protection.

Aggregate, correlate, and act on threats before they impact your organization.

TI Hub transforms scattered data from multiple sources into precise alerts and automated detection rules.

VALUE PROPOSITION

The problem

Security teams face a flood of information: thousands of IOCs every day, multiple threat intelligence feeds, constantly published CVEs, and the pressure to detect threats before it is too late. The information exists, but it is fragmented, lacks context, and is difficult to operationalize.

The solution

Threat Intel Hub automates the collection, enrichment, correlation, and distribution of security intelligence. It converts raw data into actionable intelligence, generates contextualized alerts, and automatically creates detection rules in your SIEM.

KEY FEATURES

Multi-Source Aggregation

Automatically collect intelligence from 13+ specialized sources, including CISA KEV, NVD, EPSS, AlienVault OTX, VirusTotal, MISP, Cisco Talos, URLhaus, Spamhaus, OpenPhish, PhishTank, and more. One platform, all your intelligence sources.

Intelligent Correlation

Correlation engine that cross-references IOCs with your historical database and real-time SIEM events. Identify active threats in your environment before they cause damage.

Automated Detection

Automatic generation of Wazuh detection rules when new relevant IOCs are identified. No manual intervention, no delays, immediate protection.

Contextualized Alerts

Five types of notifications categorized by severity and context. Each alert includes the information required to take action.

Alert — General notifications without specific IOCs
NVD Alert — Critical vulnerabilities (CVEs with EPSS > 0.8 or zero-days)
Threat Advisory — Threats with IOCs from sources such as Cisco Talos, Spamhaus, URLhaus
Threat Anticipation — Matches between IOCs and SIEM events
Threat Hunting Rule Added — Confirmation of a detection rule added to Wazuh

Exportable IOCs

Excel attachments included in every notification with IPs, URLs, domains, and hashes (MD5, SHA1, SHA256) ready to import into your security tools or share with your team.

Native SIEM Integration

Bi-directional integration with Wazuh: API-based matching, automatic rule injection, and continuous correlation with events from your infrastructure.

ALERT TYPES

Type	Description	Priority
Alert	General notifications without specific IOCs	Medium
NVD Alert	Critical vulnerabilities (CVEs with EPSS > 0.8 or zero-days)	High
Threat Advisory	Threats with IOCs from sources such as Cisco Talos, Spamhaus, URLhaus	High
Threat Anticipation	Matches detected between IOCs and SIEM events	Critical
Threat Hunting Rule Added	Confirmation of a detection rule added to Wazuh	Informational

INTEGRATED INTELLIGENCE SOURCES

Vulnerabilities and CVEs

CISA KEV — Known Exploited Vulnerabilities Catalog
NIST NVD — National Vulnerability Database
FIRST EPSS — Exploit Prediction Scoring System

Enrichment and Context

AlienVault OTX — Community threat pulses
VirusTotal — File and URL analysis
MISP — Threat intelligence sharing platform

Phishing and Fraud

OpenPhish — Phishing URL feeds
PhishTank — Collaborative phishing database

Malware and C2

URLhaus — Malware distribution URLs
Spamhaus DROP — Malicious IP blocklists
Cybercrime Tracker — C2 servers and botnets

APT and Campaigns

APTnotes — APT group documentation
Cisco Talos — Threat research and intelligence

KEY BENEFITS

Role	Key Benefits
SOC Team	70% reduction in alert triage time Full context included in every alert IOCs ready for immediate blocking Duplicate elimination and reduced false positives
Threat Hunters	Automatic correlation with historical data Automatically generated threat hunting rules Visibility into active campaigns Database of 135,000+ IOCs
CISOs	Centralized visibility of the threat landscape Automated reports (daily and weekly) Clear metrics on sources and alerts Alignment with cybersecurity frameworks

OPERATIONAL FLOW

1. COLLECTION
   RSS feeds, REST APIs, CSV, JSON, HTML scraping
   ↓
2. NORMALIZATION
   IOC extraction: IPs, URLs, domains, hashes
   ↓
3. ENRICHMENT
   OTX, VirusTotal, MISP – context and reputation
   ↓
4. CORRELATION
   Historical database + Wazuh SIEM
   ↓
5. CATEGORIZATION
   Threat type, priority, alert category
   ↓
6. RULE GENERATION
   Automatic injection into Wazuh
   ↓
7. NOTIFICATION
   Email advisory + IOC Excel attachment

USE CASES

Proactive Zero-Day Detection

When CISA adds a vulnerability to the KEV catalog or NVD publishes a critical CVE with a high EPSS score, TI Hub immediately generates a critical-priority alert and searches for related indicators in your SIEM.

Phishing Campaign Response

When new phishing URLs are detected in OpenPhish or PhishTank, the system enriches them with VirusTotal, generates blocking rules in Wazuh, and notifies the team with the complete list of indicators.

Automated Threat Hunting

When Cisco Talos publishes research on a new campaign with IOCs, TI Hub automatically extracts the indicators, correlates them with the last 30 days of Wazuh logs, and generates persistent detection rules.

APT Intelligence

Continuous tracking of threat groups through APTnotes, correlation of TTPs with your environment, and alerts when patterns associated with known actors are detected.

TECHNICAL SPECIFICATIONS

Feature	Detail
Platform	Linux (Ubuntu / CentOS / RHEL)
Database	MySQL / MariaDB
Supported SIEM	Wazuh (API Manager + Indexer)
Notifications	SMTP (HTML + Excel)
APIs	REST API for integrations
Update Frequency	Configurable (hourly / daily)
IOC Storage	135,000+ indicators
Active Sources	13+ intelligence feeds

TESTIMONIAL

“Before TI Hub, our team spent hours manually reviewing multiple feeds. Now we receive contextualized alerts with everything needed to take action. Automatic correlation with Wazuh has allowed us to detect compromises we would have otherwise missed.”

— CEO, Manufacturer, Company

Threat Intel HUB