* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Top 4 Use Cases for a Thr...

# Top 4 Use Cases for a Threat Intelligence Platform

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Ftop-use-cases-for-a-threat-intelligence-platform-2%2F)  
[](https://twitter.com/share?text=Top+4+Use+Cases+for+a+Threat+Intelligence+Platform&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Ftop-use-cases-for-a-threat-intelligence-platform-2%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Ftop-use-cases-for-a-threat-intelligence-platform-2%2F&title=Top+4+Use+Cases+for+a+Threat+Intelligence+Platform&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/top-use-cases-for-a-threat-intelligence-platform-2/&ts=markdown)  
\[\](mailto:?subject=Top 4 Use Cases for a Threat Intelligence Platform)  
Link copied  
By [Shravanthi Reddy](https://www.paloaltonetworks.com/blog/author/shravanthi-reddy/?ts=markdown "Posts by Shravanthi Reddy")  
Nov 17, 2021  
5 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Incident enrichment](https://www.paloaltonetworks.com/blog/tag/incident-enrichment/?ts=markdown)  
[playbook-driven automation](https://www.paloaltonetworks.com/blog/tag/playbook-driven-automation/?ts=markdown)  
[proactive threat monitoring](https://www.paloaltonetworks.com/blog/tag/proactive-threat-monitoring/?ts=markdown)  
[threat intel data](https://www.paloaltonetworks.com/blog/tag/threat-intel-data/?ts=markdown)  
[threat landscape modeling](https://www.paloaltonetworks.com/blog/tag/threat-landscape-modeling/?ts=markdown)

Threat Intelligence (TI) can come from different sources---local or external feeds and includes attack signatures, registry data, IP addresses, domain names, and a host of other pieces of information often referred to as "artifacts" or "Indicators of Compromise." TI also adds information about how adversaries operate and behave during an attack, often called Tactics, Techniques and Procedures (TTPs). It is not just daunting but also an expensive endeavor to hire enough analysts to manually combine the threat feeds together for analysis, make the intel relevant, and then push the insights to all other tools.

Threat Intelligence Platform or TIP offers the solution for this problem. A [Threat Intelligence Platform](https://www.paloaltonetworks.com/cyberpedia/what-is-a-threat-intelligence-platform?ts=markdown) aggregates hundreds of intel sources into a single repository for analysts to easily and effectively identify threats and build awareness and create context around the threats.

Let's explore the top four use cases for a Threat Intelligence Platform and how each use case helps security teams to fight cyber crime with confidence.

### **1. Incident Enrichment Using Threat Intel Data**

**Problem**: Most tools that Security Operations Centers and Incident Response (IR) teams use to respond to alerts are very generic. There is not much of a correlation of network data and understanding of threats and attacker movements. Many times there is a dump of information including bad IP addresses or domains and someone has to be assigned to manually resolve to figure out false positives. There is also a lack of understanding of malicious families, hacking tools and their patterns of attacks. The process is cumbersome, takes up a lot of time, and is impractical. It's especially so in the present security scenario where hundreds if not thousands of indicators are collected on a daily basis.

**Solution**: Accelerating incident response with Threat Intelligence Platform and alert enrichment using Threat Intelligence (TI) data.

Incident enrichment workflow in Cortex XSOAR Threat Intelligence Management leverages TI from our very own high-fidelity centralized threat intelligence library [Unit42](https://www.paloaltonetworks.com/unit42?ts=markdown) to look up:

* Research data from Unit42 to learn about known malware campaigns or families
* IPs and domains with WHOIS data
* Passive DNS data
* Web categorization data

Our next release of TIM 3.0 coming up in December has enhancements and capabilities mentioned above to help respond to incidents with confidence. [Here](https://bcove.video/3osxGYr) is a glimpse of this new capability.

### **2. Proactive Blocking of Threats**

**Problem**: The security team needs to leverage threat intelligence to block or alert on known bad domains, IPs, hashes, etc.. The indicators are being collected from many different sources which need to be normalized, scored, and analyzed before the customer can push to security devices such as SIEM and firewall for alerting. Detection tools can only handle limited amounts of threat intelligence data and need to constantly re-prioritize indicators.

**Solution**: Proactive threat monitoring with playbook driven automation.

With indicator prioritization, you can ingest alerts from email inboxes through integrations. Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire. The playbooks can have filters and conditions that execute different branches depending on certain values.

Here is a[demo](https://bcove.video/3kulRzS) of how TIM works with pro-active blocking of threats.

### **3. Intelligence Reporting and Distribution**

**Problem**: Threat Intelligence programs have a growing set of responsibilities. One of the key responsibilities is production and dissemination of threat intelligence reports which keep employees up to date on the latest threats targeting their industry. Most intelligence is still shared via unstructured formats such as email, blogs, etc. Sharing information about indicators of compromise is not enough. Additional context is required for the shared intelligence to have value. Analysts go through hours of manual work aggregating and digging for known malware families, curated news and threats related to the company, or the vertical for an industry and why the story is relevant to the company. They need to send this report out to a large audience for security awareness and alert to other stakeholders so they can facilitate better in the future.

**Solution**: Workflows and central repository for intelligence analysts to create, collaborate and share finished intelligence products with stakeholders via PDF reports. Intel analysts will be able to understand trends within threat intelligence using their local/curated intel + Unit42 threat intelligence. Consume RSS feeds to collect all the news sources.

Here is a [demo](https://bcove.video/30fNLIs) of how TIM helps you with intelligence reporting and distribution..

### **4. External Threat Landscape Modeling**

**Problem**: Threat Intelligence teams need to understand details of attacks and how their organization may be vulnerable. The foundational element of understanding risk/impact to an organization begins when threat analysts begin profiling the attacks.

**Solution**: Threat modeling to prevent or mitigate the effects of threats to the system.

Intel team builds profiles of threat actors, identifies if there are related attacks, identifies which techniques and tools the threat actor used. This information is shared to stakeholders including security operations and leadership.

See this [demo](https://bcove.video/3wUuRmV) to see how external threat landscaping is done in a real scenario.

### **Conclusion**

While threat intelligence is data and information about threats, a [threat intelligence platform](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-intelligence-management?ts=markdown) is the collection, normalization, enrichment and actioning of data about potential attackers and their intentions, motivations and capabilities. This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyberthreats.

The best [threat intelligence solution](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) for your organization will vary depending on your needs and we recommend a "use-case-centric" view when looking for the best solution for your organization.

Join us for an upcoming webinar to learn more about these use cases and how TIM's next release helps you put threat intelligence to action. Register [here](https://register.paloaltonetworks.com/cortexxsoartopusecaseswebinar--december162021?utm_source=timblog).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector? Part 2](https://www.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector-part-2/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector?](https://www.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Disrupting Legacy Vulnerability Management](https://www.paloaltonetworks.com/blog/security-operations/disrupting-legacy-vulnerability-management/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex Advanced Email Security -- Built for Today's AI Threats](https://www.paloaltonetworks.com/blog/security-operations/cortex-advanced-email-security-built-for-todays-ai-threats/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://www.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### You Need an Enabler](https://www.paloaltonetworks.com/blog/security-operations/you-need-an-enabler/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language