After this lesson, you will be able to: Distinguish IOCs from IOAs, name the major ISACs and threat-intel platforms, and ingest a free feed into a SIEM or detection workflow.
Knowing about a threat is half the job. Operationalising the knowledge, getting IoCs into your detection tools automatically, is the other half. This lesson covers what an ISAC is, how to consume threat feeds, and the distinction between indicators and behaviours.
Indicator of Compromise (IoC), an artefact that suggests an intrusion happened. A hash, an IP, a domain, a file path, a registry key. Indicator of Attack (IoA), a behaviour that suggests an intrusion is happening. PowerShell with -enc, scheduled tasks calling .ps1 from %TEMP%, suspicious child processes from Word. IoCs decay fast (attackers rotate infrastructure); IoAs are more durable because they encode tradecraft. Mature CTI programs prioritise IoAs over IoCs and treat IoCs as a complement, not the deliverable.
An ISAC (Information Sharing and Analysis Center) is an industry-specific group that pools threat intelligence among members. Financial Services ISAC (FS-ISAC), Healthcare ISAC (H-ISAC), Energy ISAC (E-ISAC), Multi-State ISAC (MS-ISAC, free for state/local government), Aviation ISAC, IT-ISAC. Membership is usually paid or eligibility-restricted. Most ISACs share IoCs, sector advisories, and run regular calls. If you work in a regulated industry, ISAC membership is often the most actionable feed you can get.
CISA's Automated Indicator Sharing (AIS), free, STIX/TAXII format. AlienVault Open Threat Exchange (OTX), free, community-contributed pulses. Pivot from one indicator into related actor/campaign. Abuse.ch (URLhaus, Feodo Tracker, ThreatFox), feeds for hostile URLs, banking trojan C2s, and IoCs. VirusTotal Intelligence (paid) or LiveHunt (paid feature on commercial accounts), advanced retro-hunt capability. MISP (open-source), platform you run yourself for ingesting + redistributing feeds.
Pick one feed, wire it into your Splunk Free instance.
Sign up for AlienVault OTX (free account); generate an API key
In Splunk, install the OTX add-on from Splunkbase (free)
Configure the add-on with your API key; select 2-3 pulses to start (don't ingest the firehose)
Wait for the index to populate; query: index=otx | stats count by indicator_type
Write a correlation: 'index=mylogs sourcetype=stream:dns [search index=otx indicator_type=domain | fields domain]' to alert when a logged DNS query matches an OTX domain
Document the workflow as a runbook so an analyst can act when the alert fires
Subscribing to too many feeds. Two well-tuned feeds beats ten noisy ones. Treating feed entries as actionable without context. An IP in a feed might be Cloudflare's shared infrastructure; act on that and you'll block a benign service. Always verify with the four-tool OSINT workflow before blocking. Skipping feed expiry. IoCs decay; an IP that was C2 last year may be a legitimate VPS today. Age out indicators automatically. Forgetting attribution. A feed entry without 'why this is malicious' is unusable. Track every IoC with its source rationale.
Pick the one that survives the actor's infrastructure rotation.
Sign in and purchase access to unlock this lesson.