From 4ec0dd75c85b84855b401fe4d78d1273beabc930 Mon Sep 17 00:00:00 2001 From: anti Date: Sun, 26 Apr 2026 05:18:05 -0400 Subject: [PATCH] docs(roadmap): mark threat-intel enrichment shipped MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Out-of-band 'decnet enrich' worker landed across commits feat(intel): attacker_intel table → factory → providers → worker → CLI → API. v1 ships GreyNoise Community + AbuseIPDB + abuse.ch (Feodo Tracker bulk feed and ThreatFox per-IP). Shodan / Censys / OTX remain in the DEVELOPMENT_V2 backlog. --- development/DEVELOPMENT.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/development/DEVELOPMENT.md b/development/DEVELOPMENT.md index 270f2e3e..6bd4f022 100644 --- a/development/DEVELOPMENT.md +++ b/development/DEVELOPMENT.md @@ -56,7 +56,7 @@ ## Detection & Intelligence - [x] **Real-time alerting via webhooks** — Admin-configurable outbound webhooks (SIEM/SOAR integration: Wazuh/Shuffle/TheHive/n8n) with HMAC-SHA256 signing, topic-pattern filtering, and bounded retry. Slack/Telegram-specific senders remain as per-destination work (they accept generic webhook payloads already). -- [ ] **Threat intel enrichment** — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise. +- [x] **Threat intel enrichment** — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise. -> Out-of-band `decnet enrich` worker, woken on `attacker.scored`/`attacker.observed`. v1 ships GreyNoise Community + AbuseIPDB + abuse.ch (Feodo Tracker bulk feed and ThreatFox per-IP). Shodan / Censys / OTX backlogged in DEVELOPMENT_V2.md. - [ ] **Attack campaign clustering** — Group sessions by signatures and timing patterns. - [x] **GeoIP mapping** — Visualize attacker origin and ASN data on a map. - [ ] **TTPs tagging** — Map observed behaviors to MITRE ATT&CK techniques.