Coralogix Expands Unified Threat Intelligence Coverage

Coralogix is excited to announce a major enhancement to our Unified Threat Intelligence (UTI) capabilities – now with expanded IOC matching beyond IPs. While our earlier focus was primarily on detecting malicious IP addresses, threats have evolved. Attackers now hide behind encrypted traffic, disposable domains, and polymorphic files.

To stay ahead, we’ve normalized new critical fields – JA3, JA4, domain, URL, and file hash and integrated them into our UTI engine. These are now fully supported in the Snowbit Utilities Extension, bringing faster detection, richer context, and broader coverage.

What’s New?

Until now, our IOC enrichment focused on:

• Malicious IP Address Detection
  

We’ve now added IOC enrichment support for:

• JA3 Fingerprint
  
• JA4 Fingerprint
  
• Malicious Domain
  
• Malicious URL
  
• Malicious File Hash
  
  

This extended support means more comprehensive detection, enabling threat hunters and analysts to surface stealthier adversarial activity across multiple attack surfaces.

Available Alerts

These enrichments power new dedicated alerts – now live via the Snowbit Utilities Extension:

• Unified Threat Intel – Malicious URL Detected
  
• Unified Threat Intel – Malicious JA4 Fingerprint Detected
  
• Unified Threat Intel – Malicious JA3 Fingerprint Detected
  
• Unified Threat Intel – Malicious Domain Detected
  
• Unified Threat Intel – Malicious Hash Detected
  

These alerts work alongside the existing IP-based detection to give you full-spectrum IOC monitoring.

Sample Log – Matched IOC (Domain)

Here’s how a matched malicious domain appears in logs under the cx_security namespace:

Each match is enriched with contextual intel such as feed source, confidence level, threat notes, and malware tags- enabling rapid triage and response.

Delivered Through Snowbit Utilities Extension

These detections and enrichments are available immediately for customers using the Snowbit Utilities Extension, offering:

• Plug-and-play integration
• Prebuilt alert rules
• Seamless enrichment at ingest
• Unified logging under cx_security
  

Whether you’re handling proxy logs, NetFlow, DNS queries, or file activity –  these new IOCs are automatically correlated with threat feeds and surfaced in real time.

Why This Matters

Modern attacks rarely rely on static IPs alone. Adversaries:

• Use encrypted channels that evade DPI
• Register throwaway domains and malicious URLs
• Deploy hashed payloads and beaconing clients

With JA3/JA4 fingerprinting, file hash correlation, and domain/URL intelligence — you’re equipped to catch:

• TLS-based malware (e.g., Cobalt Strike, VenomRAT)
• Phishing infrastructure
• Malicious file downloads and lateral movement