Connect your own threat intelligence

How Client TIS (cTIS) lets you connect your own threat intelligence subscriptions to Radiant alongside Radiant's built-in feeds.

How cTIS works

When you connect a cTIS provider, Radiant queries that feed during Enrichment for every applicable artifact, in parallel with rTIS. There is no per-alert-type configuration, and prior triages do not need to be re-run.

cTIS results surface as cards in the Reputation and threat intel section of the artifact panel. A cTIS card shows your tenant name on the sub-label line, which distinguishes it from rTIS cards (sub-label: Radiant Security). See Built-in threat intelligence feeds for the full card-reading guide.

Supported providers

Radiant currently supports cTIS for the following provider. See the connector guide for step-by-step setup instructions.

Provider

VirusTotal

What it covers

File, URL, domain, and IP reputation across 70+ antivirus engines.

Connector guide

VirusTotal

Verify threat intel is active

After connecting a provider, the feed is queried on the next triage that contains an applicable artifact.

To confirm cTIS is contributing to enrichment:

Open any alert triaged after you saved the credential.
Select an applicable artifact (e.g., an IP address for AbuseIPDB or a file hash for VirusTotal).
In the artifact panel, scroll to the Reputation and threat intel section.

PreviousBuilt-in threat intelligence feeds NextVirusTotal

Last updated 23 days ago

Was this helpful?