Introduction Monitoring Network Traffic for malicious activities is one of the priorities for an network IDS, what if the network IDS can take in threat intelligence data to look out for malicious domains, Ip addresses, emails,file-hashes and so on, sagan has one such feature called Bro intelligence framework this write up will give you an insight on how to install configure and use bro intel framework in sagan. I have been working with sagan for few months now, it has been really hard to put all the pieces together and you don't really find any perfect documentation or tutorials regarding sagan and its features at one place. Sagan is an open source real time log analysis and correlation engine that runs on Unix Operating Systems, sagan's rules are quite similar to SNORT. Sagan can record events to the snort unified 2 output format which allows it to be compatible with user interfaces such as Squil,Snorby,Graylog. Sagan has lot more capabilities than being a Log Anal