Sentinel downloads the data from the data sources to a map file, <sentinel_data_directory>/data/map_data/Threat_Intelligence.csv. Each data source is differentiated by a unique ID. When the SourceIP or the Target IP of an incoming event matches with any of the IP addresses in the map file, Sentinel enriches the event with threat information by adding the following source or target event fields accordingly:
SourceHostThreatSource (shts)
TargetHostThreatSource (thts)
SourceHostThreatType (rv198)
TargetHostThreatType (rv199)
SourceHostReputationScore (rv158)
TargetHostReputationScore (rv159)
If the IP addresses are listed in more than one data source, Sentinel considers the values for the above event fields from the data source that has a higher priority.
Sentinel provides the Threat Intelligence Solution Pack out-of-the-box, which includes correlation rules that detect communications to or from these IP addresses in your network. In upgrade installations, you must manually upgrade the Threat Intelligence Solution Pack in Solution Manager to get these latest correlation rules.
You can also create your own correlation rules as necessary. For more information, see Correlating Event Data
in the NetIQ Sentinel User Guide.