# Topic 12: Threat Intelligence Architecture

**Audit Date**: 2026-02-01
**Auditor**: Agent Antigravity
**Scope**: Campaign Tracking & Pattern Recognition

---

## 1. The Core Engine (`threat_engine.py`)
The system implements a **SOC-Grade** intelligence engine that goes beyond simple message logging. It creates "Campaigns" from scattered data points.

### **A. Campaign Clustering Algorithm**
*   **Logic**: `generate_campaign_id()`
*   **Method**: Deterministic Hashing.
*   **Formula**: `MD5(Sorted(Phone + UPI + Domain))`
*   **Effect**:
    *   Scammer A uses Phone X.
    *   Scammer B uses Phone X.
    *   **Result**: Both are automatically grouped into **Same Campaign ID**.
*   **Audit**: Confirmed in `threat_engine.py`.

---

## 2. Threat Classification Standards
The system maps all detected activity to global cybersecurity standards.

### **A. MITRE ATT&CK Mapping**
Confirmed TTP Codes in `_get_ttps()`:
*   **T1566**: Phishing (Lottery/Job).
*   **T1059**: Command & Scripting (Crypto).
*   **T1598**: Phishing for Information (Banking).
*   **T1204**: User Execution.

### **B. Fraud Vector Analysis**
Deterministic mapping of *How* they steal money:
*   **`upi_social_engineering`**: "Send money to receive money".
*   **`credential_phishing`**: "Login to this fake bank site".
*   **`remote_access_takeover`**: "Install ScreenShare/RAT app".

---

## 3. Threat Severity Scoring
*   **Critical (70+)**: Banking, Government Impersonation.
*   **High (50+)**: Lottery, Crypto, Investment.
*   **Boosters**:
    *   +15 for UPI ID found.
    *   +15 for Bank Account found.
    *   +30 for High Confidence.

---

## 4. IOC Management
*   **Indicators of Compromise (IOCs)** are standardized:
    *   `phone_numbers`: Validated +91 format.
    *   `upi_handles`: Validated VPA format.
    *   `urls`: Extracted domains.
    *   `rat_apps`: Detected APKs/Remote Tools.