Threat intelligence is information about an adversary, including their tactics and motives. In the context of information security, threat intelligence commonly refers to indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). In this framework, an IOC is typically forensic evidence that can be observed in telemetry, such as outbound traffic to a suspicious domain, the presence of malware on a host, or unusual activity in an administrative account. TTPs generally refer to tactics actors may use, such as brute force, supply chain compromise, or Secure Shell (SSH) hijacking.
MITRE ATT@CK is a common framework for understanding TTPs. Read more about MITRE ATT&CK .
Threat intelligence data generally refers to static indicators that can be used in machine systems for detection and prevention use cases—for example, IP addresses and domains associated with unusual network traffic activity, suspicious geographic logins, and the presence of known malicious code.
There are many different sources of threat intelligence data, including open source feeds, vendor data, government-published threat intelligence, and private sector information sharing organizations such as IT-ISAC.
Oracle Threat Intelligence Service provides access to threat intelligence including, but not limited to, indicators of compromise, threat reputation data, geolocation data, known bad actors, and confidence levels. Sources include first-party Oracle-sourced data, third-party data from our partners, open source threat feeds, and Oracle security research insights. The data evolves as new threats arise and is updated daily. Threat Intelligence Service is intended to support security incident investigation and provide contextual detail about identified threats.
The service supports out-of-the-box integrations with Oracle Cloud Guard and Oracle Cloud Guard Threat Detector and provides access to Threat Intelligence Service's searchable database of indicators of compromise.
Once you enable Oracle Cloud Guard and Oracle Cloud Guard Threat Detector in your tenancy, Threat Intelligence Service goes to work for you. Cloud Guard and Cloud Guard Threat Detector are fully integrated on the back end with Threat Intelligence Service. Cloud Guard will monitor your audit telemetry and generate a Problem if any suspicious IP activity is detected in API invocations based on high confidence suspicious IP addresses provided by Threat Intelligence Service.
Cloud Guard Threat Detector uses threat intelligence data in its machine learning and event correlation models to identify suspicious activity and adjust confidence scoring, providing more-reliable security alerts.
Threat Intelligence Service is a free service in OCI. It is not available for Free Tier customers. Services that are integrated with Threat Intelligence Service may come at an additional cost.
Cloud Guard and Cloud Guard Threat Detector are the first services integrated with Oracle Threat Intelligence Service.
Direct search queries via the Console and API to the Threat Intelligence Service database are subject to rate limiting to protect performance and prevent abuse.
Threat Intelligence Service aggregates threat intelligence data from common open source feeds, technology partners such as CrowdStrike, and our own internal security expertise and observations.