Cyber threat detection based on threat context, threat changes and/or impact status

What is claimed is: 1 . A method comprising: training one or more machine-learning models on historical network traffic data; receiving cyber threat intelligence (CTI) data for an endpoint, wherein the CTI data comprises one or more indications of compromise (IOCs) associated with the endpoint; determining that the endpoint is not included in a list of known malicious endpoints and that the endpoint is not included in a list of known non-malicious endpoints; determining a threat status for the endpoint based on the one or more IOCs indicated by the CTI data, wherein a default disposition would apply to network traffic associated with the endpoint based on the threat status; determining, for an entity, an impact status based on an impact of blocking potentially legitimate network traffic between the endpoint and a network of the entity, wherein determining the impact status comprises: providing, as input to the one or more trained machine-learning models, network traffic data associated with network traffic at the network of the entity; and receiving, as output from the one or more trained machine learning models, the impact status; determining an alternative disposition for the endpoint that is different from the default disposition based on the threat status and the impact status; and configuring a computing device to filter network traffic between the network and the endpoint based on the alternative disposition. 2 . The method of claim 1 , wherein the configuring the computing device to filter network traffic between the network and the endpoint based on the alternative disposition comprises sending the alternative disposition to the computing device via a feed. 3 . The method of claim 1 , further comprising adjusting a CTI confidence threshold based on the impact status, wherein the determining the alternative disposition for the endpoint based on the CTI data comprises comparing a confidence of CTI data associated with the endpoint to the adjusted CTI confidence threshold. 4 . The method of claim 1 , wherein: the default disposition is a default allow disposition; the determining the impact status comprises determining that the potential impact of blocking network traffic between the endpoint and the network of the entity is a low potential impact that does not satisfy a high impact threshold; and determining the alternative disposition for the endpoint comprises determining that the alternative disposition is a block disposition based on the potential impact being a low potential impact. 5 . The method of claim 1 , wherein: the default disposition is a default block disposition; the determining the impact status comprises determining that the potential impact of blocking network traffic between the endpoint and the network of the entity is a high potential impact that does not satisfy a low impact threshold; and the determining the alternative disposition for the endpoint comprises determining that the alternative disposition is an allow disposition based on the potential impact being a high potential impact. 6 . The method of claim 1 , wherein the determining the impact status based on the potential impact of blocking legitimate network traffic between the endpoint and the network comprises one or more of: comparing an historic volume of traffic between the endpoint and the network to a traffic volume threshold; comparing an historic frequency of traffic between the endpoint and the network to a traffic frequency threshold; or comparing a quantity of resources associated with network traffic between the endpoint and the network to a resource threshold. 7 . The method of claim 1 , wherein the determining the impact status based on the potential impact of blocking legitimate network traffic between the endpoint and the network comprises one or more of: determining a type of user associated with network traffic between the endpoint and the network and determining the impact status based on the determined type of user; determining a type of computing resource associated with network traffic between the endpoint and the network and determining the impact status based on the determined type of computing resource; or determining a time of day associated with sending network traffic to the endpoint or receiving network traffic from the endpoint. 8 . The method of claim 1 , wherein the historical network traffic data comprises: first historical network traffic data associated with network traffic at the network of the entity; and second historical network traffic data associated with network traffic at a different network of a different entity. 9 . The method of claim 1 , further comprising combining a value of the impact status and a value of the threat status to obtain a composite shieldability status, wherein the determining the alternative disposition based on the threat status and the impact status comprises determining the alternative disposition based on the composite shieldability status. 10 . One or more computing devices comprising: one or more processors; and memory storing computer-executable instructions that, when executed by the one or more processors, cause the one or more computing devices to: train one or more machine-learning models on historical network traffic data; receive cyber threat intelligence (CTI) data for an endpoint, wherein the CTI data comprises one or more indications of compromise (IOCs) associated with the endpoint; determine that the endpoint is not included in a list of known malicious endpoints and that the endpoint is not included in a list of known non-malicious endpoints; determine a threat status for the endpoint based on the one or more IOCs indicated by the CTI data, wherein a default disposition would apply to network traffic associated with the endpoint based on the threat status; determine, for an entity, an impact status based on an impact of blocking potentially legitimate network traffic between the endpoint and a network of the entity, wherein determination of the impact status comprises: providing, as input to the one or more trained machine-learning models, network traffic data associated with network traffic at the network of the entity; and receiving, as output from the one or more trained machine learning models, the impact status; determine an alternative disposition for the endpoint that is different from the default disposition based on the threat status and the impact status; and configure a computing device to filter network traffic between the network and the endpoint based on the alternative disposition. 11 . The one or more computing devices of claim 10 , wherein the instructions, when executed by the one or more processors, cause the one or more computing devices to configure the computing device to filter network traffic between the network and the endpoint based on the alternative disposition comprises sending the alternative disposition to the computing device via a feed. 12 . The one or more computing devices of claim 10 , wherein the instructions, when executed by the one or more processors, further cause the one or more computing devices to adjust a CTI confidence threshold based on the impact status, wherein the determining the alternative disposition for the endpoint based on the CTI data comprises comparing a confidence of CTI data associated with the endpoint to the adjusted CTI confidence threshold. 13 . The one or more computing devices of claim 10 , wherein: the default disposition is a default allow disposition; and the instructions, when executed by the one or more processors, cause the one or more computi