Broadly, threat intelligence (sometimes shortened to “threat intel”) is any information related to cyberthreats. In the context of SOAR, threat intelligence often comes in the form of a feed or database that receives regular updates. These sources provide a variety of useful data, such as:
- Known malicious domains
- IP addresses associated with botnets
- Checksums of files associated with malware
- SSL certificates used for malicious purposes
Threat intelligence is available from a variety of entities. Among the best-known providers are familiar names like Kaspersky and VirusTotal. Many feeds are even offered for free, so getting started with threat intelligence doesn’t have to be expensive. Additionally, security orchestration platforms make it easy to provide analysts with relevant threat intelligence as they work, including during investigations. This helps them make the best decisions possible.