Cyber threat detection based on threat context, threat changes and/or impact status

Abstract

Aspects described herein may relate to cyber threat detection based on threat context and/or threat changes. Cyber threat intelligence (CTI) data may be received from a CTI provider. Endpoint data that indicates evidence that endpoints are cyber threats may be determined based on the CTI data. The endpoint data may be analyzed and/or compared to stored data associated with the endpoint. The analysis and/or comparison may be performed to determine whether evidence that the endpoint is a cyber threat has changed. Based on any changes, dispositions for the endpoint may be determined and sent. The dispositions may change how devices filter network traffic associated with the endpoint. Alternatives to default dispositions may be determined based on a impact of blocking potentially legitimate network traffic to and/or from the endpoints. Machine-learning models may assist in processing and analyzing CTI data, performing threat monitoring, and/or determining feeds that include the dispositions.

CPC Classifications