Solutions and Applications
...
AI SOC Applications
Threat Intelligence (TI)
threat intelligence holds enrichment results for observables 1\) open threat intelligence navigate to application records > threat intelligence search by observable value (ip, domain, url, hash) 2\) core fields observable observable , observable type , observable file enrichment enrichments, merged risk scores , turbine risk score verdict threat intelligence verdict timing first created, last seen, last updated, ti last updated 2a) observable panel review observable and observable type use observable file to attach or review file samples when available 2b) metrics panel review first created, last updated, last seen, and ti last updated to understand recency 2c) risk and enrichment panels risk score widget summarizes turbine risk score and related risk elements turbine risk score panel shows the current verdict and merged risk scores raw enrichments lists provider responses for troubleshooting and verification use enrich observable to re run enrichment on demand 2a) validation steps confirm the observable type matches the value (ip, domain, url, hash) compare multiple provider results in enrichments use turbine risk score to prioritize 2b) provider outcomes results can be pending, complete, or error for a provider errors indicate missing credentials or unavailable providers unknown verdicts can still appear when providers return no definitive data ti enrichment checks run on a short interval and retry a few times (about once per minute, up to five checks) before finalizing a result; if providers do not respond, the status can end as error analyst tips verify provider coverage in enrichments use merged risk scores to compare provider signals commonly used fields observable and observable type to confirm the target threat intelligence verdict and turbine risk score to prioritize enrichments and merged risk scores to compare providers first created, last seen, and ti last updated for recency detailed workflow open the observable from the threat intelligence panel on a signal verify observable type and confirm enrichment providers returned results review enrichments for provider specific verdicts and evidence use turbine risk score and threat intelligence verdict to decide next steps if results are missing, check for error status and validate provider assets