IncMan SOAR’s Use of Threat Intelligence and the Value of Correlation

Back to all articles

Before we begin to delve into how IncMan SOAR utilizes open source intelligence for correlation capabilities and enrichment validation through its bidirectional integrations, it is essential to have a basic understanding of what threat intelligence is. We will briefly touch upon the main tenants of threat intelligence and then illustrate how IncMan leverages the best amount of information provided by these sources.

Threat intelligence will fall under three classifications which are tactical, strategic, and operational. The operational element of threat intelligence doesn't apply to this specific use case so we will not address this aforementioned field. Additionally, for threat intelligence to be effective it has to meet 3 tenants which are actionable, timely and confirmed. The acronym that we like to use is ‘ACT’:

A - Actionable

C - Confirmed

T - Timely

Threat Intelligence Categories

Tactical Intelligence

Tactical intelligence is often short-lived and usually provides the least amount of value compared to the other threat intelligence elements. The list provided below composes what tactical intelligence entails, and these particular elements often support the beneficial information necessary for effective threat hunting.

  • IP Reputation
  • Malware Analysis
  • Signatures
  • Domain/URL Context

The primary reason behind this is because the attributes have a shelf life of minutes or even seconds. It is incredibly easy to modify Domain names, IPs and hash values which makes their value of little importance, and that's the reason as to why it sits at the bottom of the ‘Pyramid Pain’.

Strategic Intelligence

Strategic intelligence supplies information that is used for long-term use. This type of information is a lot more difficult to acquire and a significant amount of research and investigative work is required to assimilate intelligence of this nature. This type of intel sits at the top of the pyramid and includes data such as:

  • Techniques Tactics and Procedures (TTPs)
  • Geographic Locations
  • Specific Exploit Tools
  • Nation-State Sponsors
  • Specific Malware Families

Now that we have a basic understanding of what threat intelligence is, we will now move on to list a few of the intelligence integrations and open source feeds that IncMan SOAR uses for its security purposes.

IncMan SOAR's Threat Intelligence Integrations

Here is a small list of a few of the threat intelligence integrations IncMan uses for correlation and threat intelligence services. This by no means is an exhaustive list but just a sample of the many sources that are used for our security orchestration in correlation capabilities. We will briefly list the abilities of the threat intelligence integration along with how IncMan utilizes certain services provided by these bidirectional integrations.


MaxMind specializes in fraud prevention and geolocation of potentially malicious Domains and IP addresses. During the enrichment phase of an incident, IncMan will use MaxMind to verify the location of destination IPs.


AlienVault provides a host of solutions associated with threat intelligence. IncMan is able to capitalize on its threat intelligence for the purpose of URL, IP, and Domain Reputation. Additionally, hash values can be cross-referenced and verified via File Reputation validation and also Geolocation of a particular domain is also achieved via AlienVault.


ThreatConnect is another leader in threat intelligence services. It remains to be one of the more popular sources for analysts and researchers in the field. It receives over 100 different intel feeds daily and it also has a very strong community portal following for those that are affiliated with this specific area of cybersecurity. IncMan relies on its information to validate potentially malicious tactical intelligence.

Recorded Future

Recorded Future has become a household name when it comes to threat intelligence and cybersecurity-related information. In just a few years they have been able to make a name for themselves and have become very well respected within the threat intelligence community. Additionally, Recorded Future takes great pride in educating the public through there multiple podcasts and daily email updates on relevant information. IncMan utilizes its many services to validate and very reputational data that could be correlated with any type of tactical or strategic threat intelligence.


Structured Threat Information Expression (STIX) is not a tool or application but rather a standardized language that is used and shared among those within the threat intelligence community. STIX provides information and services to IncMan to include threat intelligence data associated with observables, strategic incident intel, and multiple forms of indicators of compromise pertaining to tactical data.


Trusted Automated Exchange of Indicator Information (TAXII) is very similar to STIX. Like STIX, TAXII is not a dedicated threat intelligence sharing platform. Seemingly, it is more focused on defining the standards needed to communicate cyber threat intelligence amongst those in the alliance. Additionally, aside from TAXII’s focus on upholding language standards, IncMan draws upon its threat intelligence information sharing hubs. Intel can be obtained through several sources such as peer-to-peer and being able to query repositories that have been created and maintained by organizations and individuals for the sole purpose of sharing threat intelligence data.

IncMan SOAR’s Correlation Engine

All incidents created within the IncMan SOAR platform will contain observables and artifacts that are stored for numerous purposes. Observables and artifacts will include elements such as IPs, Domains, URLs, geo-locations, and hash values just to name a few. IncMan’s correlation engine permits its users to perform correlation capabilities via manually or by generating a visual graph to help speed up the process correlation necessities.

Below you will find a correlation graph that was generated for the purpose of this use case. Each node represents an incident which will have at least one line, or edge, that will be connected to another node, to indicate some type of correlation among the connected nodes. Additionally, depending on the color of the line or edge, dictates the number of correlations that exist between that node and its connecting nodes.

For example, green is an indicator that there is only one association between those two nodes. However, the red lines indicate that there is a minimum of three correlations that exist between the connecting nodes of that red edge.

IncMan SOAR’s correlation engine is a great function for those who wish to maximize their time and resources when it comes to deciphering the many artifacts and indicators of compromise affiliated with each node. Once you are within the correlation engine GUI, the user is authorized to perform correlation requirements in two ways. For those who are visual learners the ability to generate custom correlation graphs are not only visually appealing but also very efficient and fun to manipulate and query for information and data. The customers are also able to manually click through the various incidents without the graph for incident research necessities.

In Summary

Threat intelligence has now become the epicenter to the cybersecurity industry. With the ability to piece together all of the moving elements of a malicious nation-state or threat actor we can now transition into offense mode. A few of the main takeaways to remain cognizant of are that there are several forms of threat intelligence and not all serve an equal value. This is why IncMan relies on multiple streams of threat intelligence to guarantee that our flagship product specializing in security orchestration and automation is continuously up-to-date with the latest and greatest when it comes to defending against those that wish to bring harm to our organization, family and friends.

Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo