Impact
Improved analyst ability to pivot from isolated alerts to broader threat context.
Impact
Supported faster enrichment during investigations and threat-hunting work.
Impact
Created a more structured process for validating intelligence relationships.
Deliverables
- Normalization pipeline for feeds, detections, and investigation artifacts.
- Correlation graph and confidence scoring for related entities and behaviors.
- Analyst-facing dashboard focused on pivots rather than passive reporting.
References
Artifacts
- Correlation graph artifact slot reserved for upcoming diagram
Problem
Threat data becomes hard to act on when indicators, infrastructure, campaign context, and observed behaviors live in disconnected systems.Approach
- Build a normalization pipeline that connects threat feeds, internal detections, and investigation artifacts into a single correlation graph.
- Highlight relationships between infrastructure, malware families, and repeated behavior patterns.
- Present the output through a dashboard focused on analyst pivoting rather than passive reporting.
Architecture / Workflow
- Collectors ingest external and internal intelligence sources into a normalized model.
- Correlation engine scores links and maps entities into graph relationships.
- Dashboard surfaces pivots, confidence, and key context needed for investigations.
Tools and Technologies Used
Python, FastAPI, Neo4j, Splunk, Docker
Results / Impact
- Improved analyst ability to move from an isolated alert to a broader threat picture.
- Supported faster enrichment during investigations and threat-hunting exercises.
- Created a more structured workflow for validating intelligence relationships.
Key Technical Takeaways
- Correlation quality depends on disciplined normalization.
- Analyst workflows should drive dashboard design.
- Confidence scoring needs transparency to remain trustworthy.