Ingesting cyber threat intelligence

The first step in the ingestion process is to convert the cyber threat intelligence (CTI) data from the threat feeds into a format that your threat intelligence platform can ingest. This is called CTI conversion. Threat feed data can come in a range of formats, such as Structured Threat Information Expression (STIX). You must restructure the incoming data into a predictable and easily consumable format that is suitable for the security products you are using in your AWS environment.

For maximum compatibility, we recommend that you convert the data into a JSON format. For example, AWS Step Functions can consume data that is in JSON format, and automation workflows can more easily and consistently consume this format. More information about building automated workflows is provided in the next section, Automating preventative and detective security controls.

To accelerate the ingestion of CTI data, you can automate the data transformations. The data is converted as it is ingested and then passed directly to the threat intelligence platform. You can use an AWS Lambda function to complete the transformation, and you can orchestrate the process through AWS services such as AWS Step Functions or Amazon EventBridge.

When you ingest CTI, you can choose which attributes to extract and retain. The exact amount of detail required can vary depending on your business needs. However, to make updates to firewalls and other security services, we recommend the following minimum attributes:

IP address and domain
Threat
Add or remove from your internal threat lists

Extract the attributes you want to use, and then format them into a structured JSON template.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deploying a threat intelligence platform

Automating security controls