| CPC H04L 63/0263 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)] | 23 Claims |
|
1. A method comprising:
receiving, from a provider of a plurality of providers and for a computer network configured to protect against cyber threats, cyber threat intelligence (CTI) data that includes a first indication of compromise (IOC that indicates an endpoint external to the computer network is a potential cyber threat;
determining, based on the CTI data, first endpoint data that indicates the first IOC for the endpoint;
based on an analysis of the first endpoint data and stored event data associated with the endpoint, determining that a threat status for the endpoint has changed, between receipt of the CTI data and receipt of the stored event data, from a prior threat status for the endpoint, wherein the stored event data indicates the endpoint is a potential cyber threat and indicates one or more second IOCs, received from the plurality of providers, used to determine the prior threat status for the endpoint;
based on determining that the threat status for the endpoint has changed from the prior threat status, determining threat differential data for the endpoint that indicates the threat status for the endpoint has changed and that indicates one or more attributes that changed for the endpoint between the stored event data and the first endpoint data;
determining, based on the threat differential data, a disposition for the endpoint; and
sending, by a first computing device and to a second computing device, the disposition to cause the second computing device to filter network traffic for the computer network based on the disposition.
|