Of the 4 levels of threat intelligence (strategic, operational, tactical, and technical), technical TI is at the bottom of the pyramid \u2014 but it’s no less important than the rest. \u00a0<\/p>\n\n\n\n
That’s because it helps SOC teams configure the security systems that are the first line of defense against known and emerging threats. <\/p>\n\n\n\n
Technical Threat Intelligence focuses on indicators of immediate compromise like bad IP addresses or domains. <\/p>\n\n\n\n
This data is typically machine-readable. Systems like TIP, SIEM, IDS\/IPS and EDR can ingest and operationalize it, and SOC teams can then create new security rules or enrich existing ones. <\/p>\n\n\n\n
All popular security solutions can read technical TI data because they use a common format for sharing threat information \u2014 STIX.<\/p>\n\n\n\n
Here is an example of a technical threat intelligence data object from ANY.RUN\u2019s TI feeds:<\/p>\n\n\n\n
{ \n\n \"type\": \"ipv4-addr\", \n\n \"id\": \"ipv4-addr--8c851c0c-ee42-5e7e-af06-f849efc0ffb4\", \n\n \"value\": \"194.104.136.5\", \n\n \"created\": \"2022-04-20T15:05:54.181Z\", \n\n \"modified\": \"2024-02-19T11:21:47.728Z\", \n\n \"external_references\": [ \n\n { \n\n \"source_name\": \"ANY.RUN task c761d29c-a02a-4666-bc34-b89c4aab5cd1\", \n\n \"url\": \"https:\/\/app.any.run\/tasks\/c761d29c-a02a-4666-bc34-b89c4aab5cd1\" \n\n } \n\n ], \n\n \"labels\": [ \n\n \"RedLine\" \n\n ] \n\n} <\/code><\/pre>\n\n\n\nSTIX is essentially JSON that’s been modified to better build connections between data elements likened indicators, tactics, techniques, and threat actors.\u00a0<\/p>\n\n\n\n\n