Background Image

Athena CTI (Cyber Threat Intelligence)

Real Time, Inline for every IP address & DNS hostname

IP: 172.217.25.14; Passive DNS: www.youtube.com, Geo: US; Whois: Google LLC; ...; Whitelist: Top 100K, ...
IP: 138.68.52.xx; Geo: US; Whois: DigitalOcean, LLC; Blacklist: Malicious site - shell bot, ..

A Working CTI Plugin & Subscription for Your Existing ELK Stack

What is CTI - CTI gathers raw information about new and existing threat actors from many different sources. When compromised systems are analysed by threat hunters, they find common suspicious connections or IP addresses that have the capability to bypass existing security solutions. Presence of such artefacts in compromised systems is nothing but indicators of compromise (IOCs).

Immediate Threat Based Detections help your organisation to stay ahead of external attacks, threats and malware, fostering continuous threat activity and security monitoring, fastening incident response process and enhancing the ability to investigate and respond to known, unknown and advanced threats.

Why is Cyber Threat Intelligence Important?

The fundamental purpose of CTI (Cyber Threat Intelligence) is that it helps to keep companies informed of the advanced threats, exploits and zero-day threats that they are most vulnerable to and how to take action against them. Why CTI matters?
  • Maximizing staffing – A threat intelligence system improves the efficiency of the security team of an organisation by correlating threat intelligence with anomalies flagged by tools on the network.
  • Automated alert prioritisation - much better informed decision for every alarm.
  • Lower security response time - A threat intelligence team can integrate threat intelligence into an organisation’s foundation to lower security response time and allows the company’s staff to focus on other essential tasks.

Athena CTI - Real Time, Inline & On the Fly

Athena CTI is a plugin for elasticsearch. It maps & tags every IP address and DNS hostnames within the pipeline of Packetbeat or Logstash, before the data is saved to elasticsearch.

Aggregated & Validated - Data of Athena CTI is aggregated from our proprietary research and open sources. It is updated periodically, normalised to one format and applied to each IP address and DNS hostname on the fly.


Passive DNS - Resolved DNS hostname(s) from your network
IP Enrichment - IP Whois Organisation, IP Scope & Geo Location
Reputation - Known Good & Known Bad
Background Image

Passive DNS

  • Tags historical DNS resolution(s) for every IP address on the fly.
  • Showing exactly where a certain domain led in the past in your network.
  • Without Passive DNS - it’s very difficult to know which DNS hostname(s) was pointed for an IP address, especially during the time of the infection.
  • With Passive DNS - it's easy to find out network traffic without associated DNS hostnames (e.g. HTTP browsing based on IP address).
  • Fully automatic - no more manual reverse lookup of IP addresses, one by one.

IP Enrichment

  • IP scope - Private IP addresses, Broadcast addresses & Link-local Addresses are pre-defined.
  • IP geo location - Resolved for every Internet IP address on the fly, if applicable.

  • IP whois organisation - Resolved for every Internet IP address on the fly, if applicable.

  • Fully automatic - no more manual lookup for each IP address, one by one.

Background Image
Background Image

Reputation - IP & DNS hostnames

  • Tags Known Good and/or Known Bad for each IP address and DNS hostname on the fly.
  • Known Good - you may stop investigating if an IP address or DNS hostname is known good.
  • Known Bad - much faster identification of an incident.

A working CTI

  • (Example - Known Good) IP Address: 172.217.25.14

    • IP Geo Location: US
    • IP Whois Organisation: Google LLC
    • DNS Hostname: www.youtube.com., android.l.google.com., ...
    • Reputation Whitelist (Known Good): "key": "www.youtube.com.", "date": "2018-09-13", "score": 75, "desc": "Top 100K"
    • Reputation Blacklist (Known Bad): Nil
  • (Example - Known Bad) IP Address: 138.68.52.xx

    • IP Geo Location: US
    • IP Whois Organisation: DigitalOcean, LLC
    • DNS Hostname: Nil
    • Reputation Whitelist (Known Good): Nil
    • Reputation Blacklist (Known Bad): "key": "138.68.52.xx", "date": "2019-07-22", "score": -100, "desc": "malicious site - shell bot"
Background Image