Skip to main content
SANDWORMSECURITY

Sight

Threat intelligence with dark-web, brand, and sandbox coverage.

What is Sight?

Sight is a threat intelligence platform that aggregates, normalises, and operationalises indicators of compromise (IoCs), STIX threat objects, dark-web monitoring signals, brand monitoring data, and sandbox detonation reports. It is designed for threat intelligence analysts and SOC teams that need a single enrichment surface and a mechanism to automatically distribute fresh IoCs to detection tools without manual export/import cycles.

  • All intelligence is stored in STIX 2.1 format natively — relationships between threats, actors, campaigns, and techniques are preserved.
  • IoCs are automatically pushed to Sandworm SIEM and Sandworm EDR for detection without manual export.
  • Dark-web monitoring runs continuous crawls and surfaces credential leaks and organisation mentions within hours.

Configure your intelligence sources

Sight aggregates threat intelligence from multiple sources. Built-in sources require no setup; external feeds can be added in Settings → Intelligence Sources.

  • STIX/TAXII: connect any TAXII 2.x server — provide the collection URL and credentials.
  • MISP: enter your MISP instance URL and API key to sync events and attributes.
  • Brand monitoring: provide your organisation name and domain list — Sight monitors for mentions and credential leaks.
  • Sandbox: submit files and URLs for dynamic analysis via the built-in sandbox or configure an external sandbox integration.
Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Sight provides threat intelligence capabilities: indicator management, dark-web monitoring, brand protection, and file/URL sandboxing.

  • Indicators of Compromise (IoCs): IPs, domains, hashes, JA3 fingerprints, and YARA rules ingested, deduped, and distributed to detection tools.
  • STIX objects: Sight stores intelligence natively in STIX 2.1 format — relationships between threats, actors, campaigns, and techniques are preserved.
  • Dark-web monitoring: continuous crawl of dark-web forums and marketplaces for mentions of your organisation, credentials, and data.
  • Brand monitoring: newly-registered domains and social-media impersonation attempts targeting your brand.
  • Sandbox: dynamic analysis of suspicious files and URLs — detonation reports with network IOCs, dropped files, and behaviour timelines.

Your first indicator search

Navigate to Sight → Search and paste an IP address, domain, hash, or URL. Sight queries all connected sources and returns enriched results with context, related threats, and historical observations.

  • Pivot from any indicator to related indicators, threat actors, or campaigns using the relationship graph.
  • Subscribe to a threat actor or campaign to receive alerts when new IoCs are published.
  • IoCs are automatically pushed to Sandworm SIEM and Sandworm EDR for detection — no manual export needed.
  1. 1
    Connect an intelligence feed.

    Navigate to Settings → Intelligence Sources and add a TAXII 2.x collection or MISP instance. Sight syncs the feed immediately on save.

  2. 2
    Search for an indicator.

    Go to Sight → Search, paste an IP, domain, file hash, or URL. Sight returns enriched results from all connected sources with related threats and historical context.

  3. 3
    Verify IoC distribution.

    Check Sandworm SIEM → Threat Intel to confirm that Sight IoCs are flowing to detection rules automatically.

Integrations

Sight connects to external intelligence feeds and distributes enriched indicators to detection and response tools within the Sandworm platform.

  • Intelligence feeds: TAXII 2.x servers, MISP instances, commercial threat-intel subscriptions (via STIX/TAXII adapter).
  • Domain intelligence: certificate transparency logs and WHOIS for lookalike-domain monitoring; feeds data to Truthsayer.
  • Sandworm SIEM: IoC feeds are pushed automatically for correlation rule enrichment and detection.
  • Sandworm EDR: YARA rules and IP/domain blocklists from Sight are distributed to endpoint agents.
  • Stillsuit (NGFW/IPS): IP and domain IoCs are pushed to Stillsuit for real-time network blocking.
  • Sandbox: dynamic analysis of suspicious files and URLs; external integration with commercial sandboxes is configurable.

API and CLI

Query indicators, submit files to the sandbox, and manage feeds via the sandworm CLI or REST API.

  • `sandworm sight search --ioc <value>` — enrich an indicator.
  • `sandworm sight sandbox submit --file <path>` — submit a file for sandboxing.
  • `sandworm sight iocs list --type domain` — list active domain IoCs.
  • REST API: see the OpenAPI spec at /api/sight/openapi.json on your deployment.
bash
sandworm sight search --ioc 198.51.100.1
Book a demo← Back to Sight
Sandworm Security — One security platform, AI in every tool