Threat Events.
An Event is every single thing that happens in the threat landscape: an open-source news report, a vulnerability disclosure, a tweet, a vendor report, or a dark web post. As soon as an Event reaches the platform, Liberty91 enriches it, extracts the threats and indicators inside it, and checks it against everything it knows about you, so the right Events surface and the right follow-up actions fire automatically.
What happens when an Event arrives
On arrival, Liberty91 enriches each Event before you ever look at it. The platform extracts Indicators of Compromise, identifies MITRE ATT&CK techniques, and pulls out any Threat Entities mentioned. It then matches the Event against your Alerts, sectors, Assets, regions, Suppliers, and Intelligence Requirements. When something matches, the platform takes the appropriate follow-up action, such as sending an alert or adding the Event to an Intelligence Requirement's knowledge base.
Events are how the platform stays current. Each one informs what Liberty91 knows about a topic, whether that is a Threat Entity, one of your Suppliers, an Asset, or an Intelligence Requirement. When an Event is relevant to a topic like infostealers, the platform judges the reliability of the source and the credibility of the data using the Admiralty scale, then updates its own knowledge. Grounding every Intelligence Package in this corpus is how Liberty91 keeps reporting current and reduces hallucination.
The Event page
Each Event opens on its own page. The header carries the Event title, the product (for example, news), the source, and the creation date.
Header actions
Under the title you have a set of actions:
- Delete the Event.
- Visit the original source.
- Share the Event with others.
- Generate a report. See Create a report from an Event.
- Download the STIX bundle for the Event.
If you have Modules turned on, you see more actions here. With MISP active you get Send to MISP, and with a webhook configured you get an action like Send to SOAR, depending on how that webhook is set up.
Summary & Analysis
On the right you find Summary & Analysis. Click Analyse now to generate a summary of the Event together with an assessment of how relevant it is to each of your Organizations.
Threat Library links and Suggestions
Below the summary you see the links between this Event and entities in your Threat Library. Liberty91 links matching entities automatically, and you can add or remove links by hand.
When the Event mentions Threat Entities that are not yet in your Threat Library, they appear under Suggestions. Click a suggestion to create a new Threat Card for that entity. The platform then finds all other relevant reporting on it and generates an up-to-date description.
Enrichment Opportunities
Under the Threat Library menu you find Enrichment Opportunities. These come from the enrichments run on the IOCs in the Event. For example, with the free OTX Module turned on, if an IP address in the Event is linked to VenomRAT by OTX, then VenomRAT shows up as an Enrichment Opportunity, and you can create a new Threat Card for that malware the same way you would from a suggestion. See IOC enrichment and decay scoring for how this works.
MITRE ATT&CK techniques
Below the Enrichment Opportunities you see the MITRE ATT&CK techniques identified in the Event. These cover every technique described in the report, not only those named outright, each with a short note on how the technique was used in the campaign.
Indicators of Compromise
At the bottom of the page you find the Indicators of Compromise from the Event, if any. Liberty91 gives each one a score and a confidence rating, and you can enable a range of integrations to enrich these IOCs and add more context.
Frequently asked questions
What counts as an Event in Liberty91?
Any single thing that happens: an open-source news report, a vulnerability disclosure, a tweet, a vendor report, or a dark web post. Each one becomes an Event.
What happens to an Event when it arrives?
Liberty91 extracts IOCs, MITRE ATT&CK techniques, and Threat Entities, then matches the Event against your alert rules, sectors, assets, regions, suppliers, and Intelligence Requirements, and takes any follow-up action such as sending an alert.