Replacement of $Intel and $IntelRef from V8

Hi Team,

In earlier version of DNIF, in order to fetch malicious IPs the query used to contain “$Intel=True” and “$IntelRef”. What is the equivalent of the same in V9 ?

A popular question from DNIF veterans !


In DNIF v9 one can create an Enrichment bucket for all available third-party threat intel integration sources. Enrichment bucket can be found by hovering on the System icon on the left navigation bar of the Home screen. Then select the Enrichment, and it opens into a YAML file.

While configuring the enrichment bucket we can specify $Intel=True in the annotate section and $IntelRefernce in the translate section of the Enrichment Bucket yml file.
Screenshot from 2021-10-29 16-17-10

Please refer to the below link in order to create an Enrichment bucket for threat intel integration.

To check prebuilt third party threat intel integration sources please check the below link

Once there are matches, the raw log will be enriched with ‘$Intel’ and ‘$IntelRef’ fields. And you earlier V8 query can be used just as it is.

Sherin Salam

1 Like