CybersecurityComplex
Cyber Threat Intelligence
Authored kill-chain edges with provenance and temporal validity
Vector SearchTyped Kill-Chain EdgesTemporal and Quality-Aware TraversalHybrid Reconstruction Query
6
IOC Categories
90
Indicators
Per-Edge
Link Provenance
All
Tests Passed
The Scenario
Threat indicators (IPs, domains, file hashes, behavioral patterns) are embedded as vectors, and the attack-chain links are typed edges an analyst or feed authored, each with provenance (source feed, case id) and the time window it was valid. When a new IOC is detected, a hybrid query seeds by similarity, traverses the typed kill-chain edges, and ranks the surviving frontier, reconstructing the chain from a single indicator. Because edges carry temporal validity, the traversal can exclude a rotated C2 link that is stale today; hops can be weighted by edge confidence. Both are opt-in and off by default.
Key Results
- Attack-chain reconstruction over typed edges, with provenance on every link
- Temporal validity on edges excludes stale C2 links (opt-in)
- Quality-aware traversal weights hops by edge confidence (opt-in)
- Curation with verify / reject / audit history for a defensible record
6
IOC Categories
90
Indicators
Per-Edge
Link Provenance
All
Tests Passed
The Code
Everything above, in a few lines of Python.
python
# Author kill-chain edges from investigations / feeds, with provenance.
client.graph.put_edge("threat_intel", source=domain_id, target=payload_id,
edge_type="DELIVERED",
provenance={"feed": "misp", "case": "INC-204"})
# Reconstruct the chain: seed by similarity, traverse typed edges, rank.
chain = (
client.graph.query("threat_intel")
.vector_similar(detected_ioc_embedding, k=20)
.traverse("BEACONS_TO", direction="outgoing")
.vector_rank(detected_ioc_embedding, k=100)
.return_nodes()
)