Name: Operationalize Threat Intelligence: 3 Essential Integration Workflows
Uploaded: 2026-04-09T15:30:51.481Z
Duration: 56 min 24 s
Description: Operationalize Threat Intelligence: 3 Essential Integration Workflows

Transcript for "Operationalize Threat Intelligence: 3 Essential Integration Workflows": Okay. Welcome, everyone. Thank you so much for joining us today. I'm Maddie Malitz, product marketing manager here at Recorded Future, and I am joined by my colleague, Kyle Koehler. Kyle, would you like to give a quick little intro? Yeah. My name is Kyle Kohler. I am a product manager overseeing our integration strategy here at Recorded Future. Awesome. We are really glad that you carved out the time to join us for this webinar. We have three essential integration workflows to walk through today, plus one bonus workflow at the end, so definitely stick around for that. Before we dive in, just a couple of quick housekeeping notes. We'll be running a live q and a at the end, so please drop your questions into the chat as we go, and we'll make sure we get to as many as we can. And, also, this is a live webinar, so the recording will be sent as a follow-up. That way, you can easily revisit any of the content that we cover. Now today's session is going to be a little bit different than a typical product webinar. We're not here to introduce something that's entirely new, but we're really here to help you get the most value out of what you already have. Or for those of you that are maybe just exploring recorded future, to show you what's possible when you connect it to the tools already in your stack. So let's cover a little bit of how we'll spend our time today. We'll start by helping you find your starting point. We'll do a quick self assessment so you can understand where your organization sits on the threat intelligence maturity journey right now. From there, we'll map that to one of four mature maturity stages so you know which integrations will actually move the needle for your team. And then Kyle is going to walk through three specific workflows. Each one match the tools you very likely already have in your tech stack. And then we'll close with clear next steps that you can take today. Yeah, Maddie. And I wanna interrupt too. I think when we think about maturity stages, and I I hope the audience can take it this way as well, it's not just like a criticism of, like, your overall program. Right? And it's difficult to say, like, our overall program is grade a or grade b or is in grade 12 or as a PhD student. I think it's more like even within a specific mission of your cyber defense strategy, you could be potentially more reactive. And maybe within, like, alert management, you could be more autonomous. So really think about it from, like, a specific use case, a specific kind of mission of a team vulnerability management incident response, and think about kind of how that might live on this scale, not just the whole program as a whole. Yeah. I think that's a great call out. And the reason we really built this maturity scale and journey in general is to help it kind of map to what your goals are. So if there's a desired state that you're hoping to get through, there might be some steps to take to reach that and, just a way to kind of place yourself so you have so you can figure out what's the best place to start and what next steps you should take. So, just to kinda get a little bit of a sense of the room, I wanted to ask just three questions that we have listed here. And you can really either keep these answers just in your head or drop them in the chat if you would like just so we can have some more, interaction that way. But you'll understand a little bit more why we're asking this when we get to the next slide and all of the workflows as well. But first, getting into the questions, what does your current alert workflow look like? So are analysts still manually enriching indicators across multiple tools? Do you have alerts sitting in a queue until someone gets to them? Are there automated playbooks? What does that look like for you? Second, we are asking, what's your most time consuming process right now? Is it the alert triage, incident investigation, vulnerability prioritization, or threat hunting? And then third, what's your top priority for the next twelve months? Are you wanting to reduce detection and response time, increase SOC efficiency, improve vulnerability prioritization, or scaling the threat hunting? Your answers are going to help you determine which workflow to prioritize first as we work through them today. And then, again, if you'd like a more structured way to think through this, we do have a maturity assessment that you can take and kinda see where you fall within this scale. I think that we will drop that in the chat too in just a second. I know I've worked at organizations where the alert workflow was wait until somebody else tells me that something's broken. And and even that might not even be reactive. That's like before reactive. It's like I didn't I didn't even know and somebody had to tell me, not even the means. So, you know, it's like a an account that's locked out and the password's been rotated from underneath them because they got infected by an Infosteiler malware, but the IT team didn't even know until the user reached out via cell phone that they were locked out of their account and somebody changed their password underneath them, versus other reactives, which is, you know, hey. You got alerted to an elite credential. And so there's, all sorts of color and spectrums within each of these as well. Oh, yeah. For sure. So here's that framework that I was really talking about too. The four stages, Kyle kind of alluded to this a little bit, but reactive, proactive, proactive, predictive, and autonomous. So understanding really where you sit right now, you can determine what integrations as we walk through the workflows will really help you reach your either desired state or address the state that you're in currently. At the reactive stage, the focus is responding on incidents as they happen. Proactive, the goal shifts to really hunting for these threats before they become incidents and keeping detections aligned with the changing landscape. And then predictive is really about extending the intelligence beyond the SOC to every stakeholder across your organization. And autonomous is where your security infrastructure is identifying and responding to threats at machine speed. And wherever you are on this journey, and like Kyle said, this is just the journey we created. Obviously, there's a lot of different ways, people can interpret maturity and, will place themselves. But this is how we're aligning the workflows today and, why we ask those three questions to kinda give you a little bit of an idea to where you might wanna fall within this chart. Okay. Getting into the workflows that we'll cover today, they all fall with there's three workflows that all fall within our cyber operations solution. I wanted to give you just a quick glimpse into our overarching overall solution areas before Kyle gets into the workflows in more detail, but the first is cyber operations. You'll hear a lot more about this throughout the webinar, but this is where most of you will probably wanna start. And then if you're dealing with alert fatigue, slow response times, difficulty prioritizing what matters, this is really where, you would start. And then while we're not sharing any workflow specific to the next two solution areas, I wanted to just make sure, you knew what was possible within them. So for digital risk protection, the solution is really relevant if you're seeing account takeovers or brand impersonation or phishing campaigns targeting your customers. And then for third party risk, if vendors are becoming an attack vector for your organization or you're struggling to assess third party risk beyond questionnaires, or even if supply chain compliance is a priority for you, this is a solution that would address that gap for you. Again, these are all solution areas that we support. Along with the fourth one, there is payment fraud intelligence as well that's worth mentioning. But just for the purpose of this webinar, we are diving into three cyber operation specific workflows. Before I hand it over to Kyle, I just wanna emphasize the that the key to effective threat intelligence is not always adding more tools. It's really making the ones that you already have work together, and this happens in two directions. For us at Record Future, you can share detection data with us, sending telemetry through collective insights, watch list connectors, so that way the platform can surface these patterns, and relevance from across the community, giving you really a centralized view across all of your security tools. And then you can also enrich your operations from Recorded Future. So integrating intelligence directly into your other tools through automated API connections that deliver, that deliver dynamic riskless right where your analysts are already working and spending majority of their time. This diagram shows the full picture of how data flows. This is our security architecture, and there's actually I apologize about the spacing on the on the on the slide. But there's actually a click through on available in the documents tab too of what our security architecture looks like. But this shows how the data flows. On the left, tools sending data in to record a future. On the right, tools receiving enriched intelligence back. What I kind of wanted you to take from this slide, this is a super, comprehensive view, but it shows you the breadth of what's possible to be connected. All of the tools, SIM, source, tips, vulnerability management tools, GRC platforms, these integrations all exist within Recorded Future, and they're available to you in the integration center as well just waiting to be turned on at this point. So, Kyle, I'll pass it over to you and kinda talk so you can talk through the simple steps and the workflows that everyone can take to just start start taking advantage of all of these tools and what's available. Cool. Thanks, Patty. So, really, the the workflows that we're gonna go over today are truly about, I think, delivering outcomes within your security program. And many of these things might be things you're already doing today or it might be things that you've, like, heard could be really useful to your program. So we'll go over IOC enrichment, which is, hey. I I have some sort of alert, and it's got these various indicators of compromise in it. Can you tell me more information about why this alert fired or why this thing was risky? So think about your EDR solution or, firing an alert and saying that some hash was was quarantined. You'd really like some more context onto what kind of malware family was that. What does that malware family actually affect? Does it leverage any vulnerabilities? So there's lots of different kind of spiders of connections that you can follow that help you determine, is this threat a real risk to my business? Similarly, in, like, a SIM solution, you might have massive amounts of of indicators of compromise flowing through, and maybe the alerts are not super, tuned to look at absolutely everything that's risky out there in the world. So you've got this kind of correlation workflow as well. But with vulnerability prioritization, most organizations here and, you know, are really relying on, like, a CVSS score for severity or some sort of other vendor specific risk score that might come specifically from your vuln scanner of choice. There's a lot more to be done there. What about additional kind of where this case connected to type in contextual threat intelligence to say, is this vulnerability attached to a specific campaign or a threat actor or a malware? And then what are the impacts of that malware, that campaign, or that threat actor? So you can really start to see how potentially risky a specific vulnerability might be. But also what about kind of the threat landscape information about has this vulnerability been seen a lot within my kind of industry or potentially is this like something that's always being used or most commonly being used to target my industry, which really gives you kind of a threat landscape prioritization that that's one of the vulnerabilities you should prioritize patching because it's actively being used to target companies like yours, not just you. Then finally, we'll get into autonomous threat operations, which is an add on license within our product. And this is really where we have kind of this native workflow for Recorded Future to take action in your downstream tools. So more than just prioritizing who your riskiest threats are and building kind of a profile of what you would wanna block or detect or hunt for, you can actually have recorded futures workflows doing that for you. So our machines reaching out into the tools that you've configured to do a retroactive threat hunt as a new threat emerges and changes in its information that's underneath it or you could really have kind of a riskiest indicators list that you've specifically tuned always being set to active detection or active blocking within some of your tools like an EDR, etcetera. So, we'll get into each of these, but just as a high level, those are the three workflows, and then there's a small short bonus workflow at the end as well. So indicator enrichment, at this point, really starts with some sort of detection, and we'll get into in the third workflow whether or not that detection is powered by threat intelligence. But if you're just relying on the native engine of your solution, so you've got an EDR tool like CrowdStrike or Microsoft Defender for XDR, SentinelOne, Trend AI VisionOne, e set like, really whatever you've got deployed on an endpoint, could be workstation or a server, it's gonna detect some sort of suspicious activity. Maybe it's using its own threat intelligence to say that, like, it knows specific IOC is risky and potentially a machine navigated to, like, some command and control soft infrastructure, or maybe it's behavioral. Maybe it's powerful enough to say, well, some action just occurred on the endpoint that deleted a bunch of shadow copies, and that's kind of the initial stage of of ransomware sitting in the in wait before it does any sort of encryption. Always, these tools are gonna go send out some sort of kind of alert. So these are going to fire an alert or many within your EDR tool. And for many organizations, it just lives there. So, you know, if if you're just kinda living and triaging alerts within your endpoint detection platform, that's just the, you know, the what we would call the reactive stage of your maturity journey. And it's not like, a negative connotation to be there. Like, just even acting on them alone is more effort than many, even some organizations can take. Some organizations really do suffer from alert fatigue and are so burdened by alerts generated into their platform that they're not able to get to all the alerts that generated in a day within a day. So many organizations then leverage something maybe like a SOAR platform. They're sending these alerts to some sort of orchestration platform that can help take action on their behalf. So that's the second stage here, an alert to send, then the lookup call. A SOAR might use some other information, usually threat intelligence, to look at if that indicator or any of the underlying metadata of the alert has some sort of risk connotation with it. So in this case, you would send your alerts into a SOAR platform. The SOAR platform would reach out to Recorded Future and say, hey. Is this hash risky? Is this network telemetry risky? Did we reach out to a potentially risky indicator? And maybe it generates a new correlation alert because it's able to look at something you didn't know, or it's enriching something you did know and finding out so much more information about how you should take action. So if it reaches out into the threat intelligence and says, well, your native EDR solution said that this IP address was risky because it was attached to malicious infrastructure. But then you use a real time threat intelligence solution like Recorded Future, and that shows that that specific indicator was risky, but it was risky last week. And, actually, through our continuous detection, we could verify that we reduced the risk score because at the time that you detected it, it wasn't hosting malicious infrastructure anymore because adversaries are using automation to move their infrastructure. They're using this to hide from detection tools. And so a more kind of stale threat intelligence feed might say, yeah. That that was risky. We saw it last month. A more real time threat intelligence solution says it was risky last month. It was risky last week, but actually the time that you detected it, it was not. And the SOAR can take action. It can log in for the log alert is informational. It can write that context. It will have the recorded future contextual threat intelligence added into the alert and determine if something does move on to some sort of remediation phase, some sort of incident response phase, or whether you can just triage that as informational and and move on and close the incident. So those are kind of the from a detection to enriching the information to actually taking action, you can enable that faster response. Having this enrichment allows you to use the information of real time threat intelligence to make a better decision. And not only make a better decision, but make a faster decision. So you go from, I have a 100 alerts to triage today, 20 of them fired while I was sleeping, to, actually, I have a 100 alerts to triage today, but I'm really just validating what the machine did. The machine took the 20 that fired over while I was sleeping, and 19 of them were low level informational based on stale threat intelligence. One of them seems like I should dig into it a bit more and forward it to the right team. And the other 80, actually, 60 of those also were logged as informational because of threat intelligence, and I've only got 21 alerts to work on now. So that workflow is so much more manageable for an analyst, and you have a so much of a stronger story to tell security leadership about how you're using threat intelligence to accelerate the mission of your team. You're able to share how you're using technology to augment the capabilities of the humans in your team and say that now we are kind of standing on the shoulders of this data and using the data to really inform our program. You've got faster time to response, faster time to detect, and you're doing a whole lot less manual work. So that's really how you can move along this, maturity scale, and you're truly going from that reactive to proactive and maybe even into this predictive type of the maturity scale where you can start using threat intelligence to inform the unknown detection capabilities of those platforms. So IFC enrichment is kind of one of those, like, low hanging fruits. I call it, like, table stakes. Like, it's really one of those things that you should be doing within your program. If you have a SOAR platform, 100%, you need to be leveraging Recorded Features APIs. We have many pre built integrations for these solutions if you go into our integration center and see which of them supports SOAR platforms. And if not, we have really unrestricted public APIs where you can build your own kind of SOAR playbooks as well. And now even with large language models, so many of them are able to iterate and build scripts all with our APIs. So many of them can even build, like, so native SOAR playbooks. I recently had an LLM build me an XSOAR playbook that did a very specific type of enrichment related to certificates, and it was incredible. Like, I just loaded it right into that platform, and it loaded like a native package. It was, really kind of an accelerator. So definitely, IOC enrichment, table stakes, something you should 100% be doing. There's no reason that you should be going along with one opinion on your alerts and the threats and the risks related to that alert. You should always be using your threat intelligence to get a second opinion. This is one of those XOR examples. So you've got at the top kind of, hey. Some playbook trigger that that maybe brought in an alert. Is there some sort of metadata in here that could be enriched? Let's enrich it with recorded future. Let's get that IP address intelligence, and let's bring that IP address intelligence back into the alert. So by the time somebody does review this alert body, it has all of that contextual information right inside of it. And I think this is a really good point too to make that you're not hitting a button to go ask record a feature for more information. This is an automated process that's running in the background that's adding our contextually related threat intelligence to whatever it is you're working on before you even start working on it. So, really, that that's kind of a true kind of automated playbook that you're gonna want to run with. Splunk SOAR is is no different. You've got reputation lookups. So have I has this indicator been seen before? Is it truly risky? And I'll kind of double click on something I said before, which is it's not just about telling you how risky something is in the malicious way. It's also being used to deprioritize certain efforts. So if, again, maybe some sort of native detection engine of your tool says that something was high risk, you really should get a second opinion to make sure you're not spinning your wheels on a specific task or a specific threat use case that potentially, you know, is just not there. Alright. Second workflow. So our second workflow is vulnerability prioritization and automated response. So this, like others, starts with an alert. Either record a feature detects a threat. You know, we've got our vulnerability intelligence alerts that can tell you that something changed in risk score. Maybe it went from just informational, never been used before to being exploited in the wild, or potentially there's a vulnerability identified within your vulnerability watch list as being brand new kind of, risk associated to it. So all these are about a risk state change. It could also be about your internal vulnerability scanner finding new vulnerabilities. And, again, through their native technologies, also saying, hey. This risk is, this CVE is like a CVSS nine. Right? And, therefore, this vulnerability is highly actionable and should absolutely be patched. You have if you are doing vulnerability management or you met you're managing the vulnerability management program, you have an inordinate amount of work. You know, I I think that, I was just at RSA and still every almost every booth is talking about alert fatigue and how many alerts there are. And mostly that's in, like, the con context of the SOC. You know, it's like, oh, the EDR is firing an alert or the SIM is firing so many alerts. If you're doing vulnerability management, I know firsthand you have the most alerts out of anybody, in the security team. Vulnerabilities are insanely everywhere. You know, I I really think that these are truly product defects. It's not just like, oh, somebody figured out how to break something. It's that something was kind of built in a weird shoddy way. And if you've been following the news that, you know, there are various kind of frontier models that are out there building cybersecurity programs that are gonna try to help really big infrastructure platforms patch and build better software, but I don't think we're ever gonna get away from vulnerability management. So you've got thousands, tens of thousands, hundreds of thousands of vulnerabilities within your organization, and prioritization is the only thing you can do to make sense of what to patch next. So like I mentioned, a lot of organizations use some sort of existing scoring methodology. CVSS is one of those, you know, zero to or 1.1 to 9.9, you know, all of these different scoring systems. Recorded futures got one to 99, and, really, we're giving you the why something is risky. So if something's exploited in the wild, that's where you might actually wanna take action. If it's exploded in the wild and targeting organizations in your industry, that's something that's specifically in your neighborhood and a risk to you. So you wanna take action and you wanna take some of that alerting and ingest it somewhere and do something with it. So you're bringing that into a SOAR platform where you've got some sort of existing vulnerability prioritization playbook, and that's gonna cross reference the scan results in your SIEM to see if, you know, where that might have triggered. You've got CVEs triggering on different assets. You're able to verify, is this on a risky asset? Also, this is that same second opinion workflow. You've got a CVSS nine that somebody is telling you you need to go patch, but through threat intelligence, you're able to share, well, actually, this has never been exploited before. It's never been used before. Nobody's seen it in the wild. So whereas it may be highly critical because it could take down a system, it's actually never been operationalized before, and we have other vulnerabilities in our program that we haven't patched yet that are being exploited in the wild. So it's one of those things where you should really be defending against the threats that are actively pointed against you, not just the threats that some analyst says is potentially quite damaging. So this workflow to prioritize your vulnerabilities is you've got some sort of alert. You're bringing this into some sort of enrichment platform to trigger a playbook. It's checking against various sources just to classify that risk to see if it's truly a threat to the organization. You're assigning results based upon that validation. Should this turn into a patch, you know, cycle or some sort of emergency patch management ticket that happens out of cycle, or can this happen within the existing patching cycles that we already have? And now you have a much more data driven response as to why you're telling, a business unit manager why you're gonna take down their mission critical business software because it could be taken down. Threat actors are actively targeting it. This is you've got threat intelligence that shape that kind of echoes this concern. It's not just a theoretical problem. Or you're telling a business unit manager that, actually, you know, we do need to patch the the 10 or 20 vulnerabilities that were discovered through the last cycle, but, you know, we don't need to take down your systems, and that's gonna happen through the regular patch management cycle. So you're gaining trust through the context of threat intelligence. You're sharing why you need to take action now versus you're sharing that you are taking a data driven response as to deprioritizing things that might take down a system for patching and allowing business continuity, allowing business operations to flow. So, really, that's kind of one of those workflows that, you have, again, a prioritization or deprioritization, but it's still about the context of threat intelligence that that's really how helping you run some of those workflows. So take threat intelligence as, again, a way to have more information, to make a better decision, and to make a faster decision. There's no reason that also you couldn't use the SOAR platform to rearchitect where your vulnerability prioritization man patch management schedule is. If you have kind of a system of record or source of truth for what needs to get patched and when, you should absolutely be leveraging much more than CVSS than, to to kind of put things in the right order and to deprioritize and reprioritize. There was a question about vulnerability prioritization. Did we have a tool from each of those categories? And, within the Recorded Futures intel the integration center, you can find that there's actually various tools that may support kind of separately a vulnerability management platform. So we have SOAR integrations, we have SIM integrations. A lot of them are preconfigured to bring in vulnerability intelligence data, or you may find a native vulnerability intelligence type integration like a ServiceNow vulnerability, management module kind of workflow and integration, or you might find a, tenable integration that brings your vulnerability data into a recorded feature, which is a hint on one of these bonus workflows I'll get on later. So Splunk SOAR, very similar to the other SOAR workflows. You're finding something that you already know, and you're querying those results to see if there's any additional context that might prioritize or deprioritize some specific effort. So Splunk SOAR is one of those where it's not directly a vulnerability management type solution, but it can be used to support that program and mission. So lots of different ways to to return the data and to take action with the data. And I think that's what's also very helpful about leveraging a SOAR tool is that you can meet your program where it's at. It's not just like, hey. Here's a drop in playbook, and you have to follow this playbook. You have various business processes that you have to support. You know? You know that maybe it can't take action, or you know that maybe certain actions need to go through some sort of change management or approval processes. And so having a SOAR playbook that's extensible and changeable and you can make your own allows you to integrate how this workflow might work within your specific organization. So So third and final workflow is our multi source intelligence and autonomous threat operations. This is really, specifically a new add on from Recorded Future called autonomous threat operations, allows you to bring in a lot of external threat intelligence. So some teams already have feeds beyond the Recorded Future platform that they wanna bring into the Recorded Future platform. There might be regulatory requirements within your industry to leverage a specific information sharing group like an ISAC or an ISAO. Sometimes you'll get feeds from those those organizations and those groups and those communities. So if you are already doing some of this, like, layering of intelligence and maybe you're already bringing into a tip or maybe you're bringing it into a Slack channel or some sort of spreadsheet, I've seen it all, this is something where Recorded Future is now natively allowing you to bring in multiple sources of intelligence. And it's not just, kind of structured threat intelligence. You can bring your own intelligence. Sometimes it's like a sore workflow that after an incident, the metadata of things that were found on a specific endpoint forensically get written back into Recorded Future into your private instance so that you can run threat hunts on those actions and and those that intelligence from that incident. So autonomous threat operations is most easily broken down into a few capabilities. We have that intelligence source capability, which which which we have just talked about, bringing in external threat intelligence sources. You've got a threat hunting capability that's based upon all the threat intelligence that I'm being provided, either external generated by a recorded feature or otherwise. Can I go look inside of a tool to see if I've seen this thing before? So you're kind of looking for unknown unknowns, things that you didn't know you had in your environment because alert never fired. Or you can even look through alerts that were previously triaged as informational. Maybe you weren't using threat intelligence to look at your alerts and triage them, and somebody thought something was informational based upon native threat intelligence, but actually both recorded features real time threat intelligence, it turns out there was a pretty big risk there. So you're reopening old things to make sure that they're being properly classified and properly triaged. You've got threat detection workflows. So you wanna take threat intelligence and push it to your tools to make them better than they are on their own. That's using the real time context of Recorded Future to share say, hey, EDR tool. Like, you should be looking for these threats specifically because they're of high value to our organization. Then finally, you've got a threat prevention workflow. As you start to trust the data and the data starts to work for you, you can even take a subset of these indicators that are super high risk. Think about, actively command actively communicating command and control servers. So these are like the botnet servers of the world. You wanna make sure that your organization is pretty much prevented from ever touching that infrastructure. You maybe have some sort of prevention that would never allow you to be infected. You still don't wanna telegraph that you exist. You still don't wanna be made kind of available from a a scanning attack that's looking and doing reconnaissance for potential victims. So being able to prevent yourself from being contacted by or from you accidentally, you know, a user clicking on some sort of malicious payload that calls out to a command and control server, you can prevent that action by blocking that infrastructure. So that's autonomous threat operations. It is an add on to the threat intelligence modules within recorded future. This is a pretty big cyber operations workflow. This is really you taking the platform and making it do work for you. So you can kinda take a lot of that, like, enrichment, soar workflow stuff that we've been talking about, but just leverage Recorded Future to do a lot of those actions. You're not building a playbook that has to be maintained by an individual to to connect to your EDR tool. You aren't even editing that playbook when a when new threat intelligence becomes related to that specific threat profile. You are just saying, hey. These are the things that I wanna look for. These are the things I wanna detect. These are the things that I wanna prevent. And as the threat intelligence changes even while you're sleeping, the actions are changing and the intelligence is changing underneath that profile to make sure that you're actively protected. So diving into this specific workflow, you can take your multi source intelligence. So you've got a six feed, an ISAC feed, something. You're bringing that into recorded future. It's being normalized and and deduplicated and enriched by recorded future to come up with really one set of intelligence that comes from everywhere that you care about. An analyst or somebody connects all the dots to potentially even create some sort of profiling, and you're you're using that intelligence to say, okay. Well, source a has a little bit more information than source b. You've got this full picture. Now from all of the sources, you have a really comprehensive set of indicators and TTPs, behavioral rules, things of that nature that are relevant to your environment. So, you know, you can ditch the TTPs that are about Linux specific exploits because you don't have any Linux endpoints in your environment, or you can, you know, ditch the TTPs that are related to, like, ICS and Scala services because you don't have any operational technology in your environment. And now you're distributing very specifically tailored payload to your existing tools. You are sending things to your SIEM that are relevant to you. It's computationally efficient to only be looking for, you know, this kind of pared down set of indicators that you have curated, and you are even sending these things to your EDR to do some active blocking or prevent, you know, that prevention workflow or aiding in its detection capabilities. I've heard from some customers like, well, you know, isn't that what a SIM is supposed to do? Like, we've, you know, our SIM has all the information. Like, why would we send things to our EDR? And sometimes I just ask have to ask the simple questions. If you are, even today, bringing EDR logs into your SIM, and it kinda jogs the memory of some people and they recognize, wait. Actually, we're not bringing in our EDR logs because we tried to do that, and it was too expensive. So there's always a case for why you need to send intelligence to multiple sources. Don't just rely on maybe one place that you're aggregating. That's why you can't really rely on one specific tip to to take action on everything. You can't rely on one specific SOAR to to only take action in one area. You really have to meet these tools directly where they're at in order to provide the value. So finally, you're deploying detection rules, you're updating your security policies, and you're blocking known infrastructure. So you've enabled an autonomous platform. You've really moved along that maturity scale to go from reactive where you were just triaging alerts, trying to get some more information and enriching those alerts. You've moved along to predictive where you're maybe using threat intelligence to aid in your detection capabilities, and now you're moved into a fully autonomous method where you're not pushing a button to send the to send in the information. You're not always crafting that information in a way that needs to take action in the platform. You're not, like, shaving off indicators each day and, oh, this new story came out and here's some new indicators that came from a specific threat research group, so I better update my playbook. All of this is happening in the background. All of this is constantly being updated, making new detections, making new logical changes to its work flows. And all you're doing is high is at the beginning building a profile of the threats or the risks that you care about. So that that's an autonomous program. That's where really the market is moving to. I mentioned before, you know, we've got large frontier models in the news who are sharing their new special models with companies like Apple and AWS to help patch kinda infrastructure vulnerabilities before they get deployed to the user base. And all of this is trickle down technology, we should be running autonomous operations within our organizations to ensure that we can patch things before they become exploited in the wild to make sure that we can take actions on threats that we didn't know were there because now we're using threat intelligence, and finally, to truly prevent even the attacks or the exploits or the incidents from occurring because we've used dynamic threat intelligence to take preventive or defensive actions before the threats have even been levied against us. So big call to action is to, try out autonomous threat operations. If you're a recorded future customer, you can reach out for a trial. You can reach out for a proof of value with your account team to see if this is something that will work for you. You can get a demo. I mean, honestly, autonomous start operations, is about not coming in to work on a Monday with 20 to a 100 things to do, but instead looking at the one or two or three things that are actionable only by you. So allow the autonomous threat operations to be kind of this accelerator to your program. Final bonus is our watch list automation. So Recorded Future has a bunch of native capabilities for alerts and, you know, it's an intelligence platform. And if you've used the platform at all, you know that we have watch lists. These are the things that belong to your organization that you wanna watch out for. So in a vulnerability intelligence type workflow, it's here's my tech stack. Here's my vulnerabilities, and I would love to know when any of these vulnerabilities change at risk. I wanna know when something goes from, you know, recently disclosed low information to exploited in the wild, high actionability. The only way that you can really keep this in sync with your attack surface footprint, whether that's your domains, your third parties, your tech stack, your vulnerabilities, you really need to keep it in sync with the solutions and the systems of record that have that source of truth. So if you've got a vulnerability scanner like Tenable or Qualys or Wiz or, you know, any of these Rapid7, It's already looking for tens of thousands and identifying these vulnerabilities. Now you can connect through a watch list automation connector directly into the Recorded Future watch list. So you're not manually maintaining a list of here are the things I care about, here are the top 100 vulnerabilities, top a thousand vulnerabilities that I want more information on. You're saying always be in sync with my true attack surface and now provide me contextually related information and intelligence related to my actual threat footprint of what I have in my real environment. So another autonomous workflow. You are not maintaining a list manually. You are allowing the systems to talk to each other so that recorded feature is always in sync with your footprint. These are incredibly simple to set up. You can go into the Recorded Future integration center and look for various technologies that you have and see if there's a watch list connector. You know, I mentioned a few there, Tenable, Wiz, Qualys. These are ones that if you have the technology, there's some documentation on how to generate a token. You punch that token into recorded future. You set maybe a threshold of the types of vulnerabilities. Like, maybe you only wanna bring in criticals. Maybe you wanna bring in your whole whole catalog of vulnerabilities. Whatever it might be, you're bringing that data into recorded feature to have recorded feature always in sync with what's going on in your environment. So you can move from that reactive state into a more predictive state. And with this specific connector, you can now also say that your vulnerability prioritization has become autonomous. So, really, I hope that through this, webinar, you've been able to see that it's not very difficult for you to move along the scale. And as we move into the middle of the year, I'm sure there's a lot of, like, midyear reviews that you're having with your management or a lot of, like, midyear reports that security teams need to send up to security leadership or business leadership, you can start to say, hey. Like, we improved the maturity of our vulnerability management program because we started adopting an autonomous vulnerability prioritization method. You can say, hey. I'd love to really leverage this autonomous threat operations capability from Recorded Future, but I'm gonna need a little more funding in order to make that a reality. But look at all the benefits it can provide us. It can look for threats, detect threats, and even prevent threats while everybody is sleeping. These are the ways to move along. Recorded Futures really adopted a mission about securing the world with intelligence, but we have taken very specific efforts on making it easier to adopt. So we want you to take the intelligence, but just turn the intelligence into action. And we're not just asking you to do that on your own. We've provided the plumbing. We've provided the steps and the workflows. You just need to follow along connecting your solutions. You just need to follow along some of these walkthroughs and documentation articles on our support site and get these tools connected. So really go into your integration center. That's on the recorded future portal on the left hand side. In the navigation sidebar, you'll see integration center. And just start, like, looking up the tools that you have. Like, oh, I've got Splunk. Oh, I've got, Microsoft Sentinel. I've got Palo Alto XR. Whatever it is, see if we have an integration. If we do, go look at the setup documentation. You'll see that on the right side once you click on a tile, and you could see how simple some of these are actually to set up. We just need a token. Just need a token. You flip a few switches, and now you've moved your program along from reactive to predictive or from proactive to autonomous with really just a few simple clicks. Awesome. On that point, Kyle, too, there was a question about Tanium that was listed on one of them and what if systems I use are not in your integration center. Yeah. Yeah. Go ahead. Great question. So we do have a Tanium integration, and some integrations are actually built by the partner. So Recorded Future builds a lot of native integrations, but some integrations, I'm thinking of tools like Axonius, Tanium. They've actually built the solution, and you're taking a recorded future token and putting it into that solution. So, if you don't find one within our integration center, sometimes it's available natively from your tools, so you can reach out to them to see if they they have an integration with us. And, even if there is no integration at all, you're like, I'm using this brand new start up. You know, we're open to building new things, and we're open to we're extremely open to helping these partners build it for us and for you. So, really, if there is a gap in an integration that you really would like, talk to your Recorded Future account team, talk to your technical account manager, and they can log an issue with me. I'm a product manager for our integration strategy, and I define kind of what are all the the latest integrations that we're gonna build this year and next year and what's a high priority. And I also work directly with those partners on, like, hey. Here's exactly how you can go build that, and let's make sure it gets built for the customer. So, if it's not specifically in the list, it can very easily be added to the list. And it just talk it's just about kind of gathering the information on if it's viable, how it would work, who's gonna build it, and all that stuff is with the stuff that recorded feature handles for you. Now if you've got, like, a super custom workflow that probably only applies to you, really couldn't get really added into the marketplace, like, maybe you've got some home built vulnerability management solution that has, like, a really interesting set of private APIs. The answer is still not no. It's just that maybe our professional services department is the best solution for you. They can assist you or build for you custom solutions that would work only for you. So multiple pathways here on trying to get you connected. And, really, the kind of overarching goal of of my team is to get connected to as many places as possible so that Recorded Future can deliver its intelligence to take action in your entire technology control surface, in your entire security programs, security tooling surface. If we can get all the technologies talking together, they're all leveraging threat intelligence. Now you've got an autonomous program that can really keep you protected from all angles. So it's certainly a goal. Awesome. And I've been keeping an eye on the chat. Kyle, great job walking through all those workflows. But there's a couple of interesting questions that came through, specifically this one when you're showing the vulnerability prioritization workflow. This one asks, what do you suggest as an effective way to build a pragmatic and relevant vulnerability watch list, especially with the evolution of AI or possibilities of increased likelihood of exploiting zero days? Great. So you've got in a vulnerability kind of, the vulnerability program within Recorded Futures SecOps pillar. You have both the vulnerability watch list and the tech stack watch list. So the vulnerability watch list is an easy one to be like, I know I have these vulnerabilities. Let's keep them in sync. And there's some strategy on, like, do I only look at criticals for high level prioritization, or do I also add some of those more informationals because they might turn into criticals. But around, like, maybe zero days and new threats, you could leverage your tech stack watch list. So this is the technology that I'm using within my organization. Like, I know we use Windows Server. I know we use Windows Desktop. I know we're using, you know, Notepad plus plus or, like, I know this software is deployed in a lot of places or even, like, down to we're using this specific software library on our website that's hosted in our own infrastructure. That's where you're putting, like, a product into the tech stack watch list so that if a new vulnerability is spun up and discovered, but it relates to one of your products, you can be alerted to it. And in many cases, you can be alerted to the fact that this vulnerability exists before your vuln scanner runs, it scans, and says that it found it on a specific asset. So, it's really about leveraging both the vulnerability intelligence, the vulnerability watch list for known CVEs, but it's also about leveraging that tech stack watch list for products and infrastructure pieces you know you have in your technology stack that you'd wanna be alerted about net new threats on. Great. Another question goes back to our IOC enrichment workflow. This one says recorded feature can enrich and help prioritizing alerts once they are created, but the core dependency is still on that EDR trigger and SIM detection rules applied. What's your proposition to solve this scenario? Yeah. So, really, this is, like, a 100% me agreeing with you. Like, in order to generate an alert, you're kinda relying on the native detection engine of that technology. Many of these, kind of frontier type technologies, so you're kinda largest market leaders in a in a endpoint protection platform. I'm thinking like CrowdStrike, SentinelOne, Trend Micro, Defender for endpoint, if you have that Defender for endpoint plan too or like a Microsoft e five license. These do have the ability to ingest in external threat intelligence. And the purpose of that is to hypercharge the detection capabilities of those detection engines. So it's moving beyond just like, well, this is what my technology knows is risky, so it's only firing those alerts to I'm adding recorded feature threat intelligence to the solution so that if it sees then also those custom indicators or those custom behavioral rules, it's able to take action. And that's one of those functions of our autonomous threat operations add on. That's one of those functions where you can say, I wanna custody, curate a custom list of indicators to send to those solutions, or I just want to say these are the threat actors that I care about or these are the malware variants that I care about, these are the TTP, these are the risk profile threats that I care about, and then as the indicators underneath that profile might change over time, new information comes out, some information ages out, then that custom list of indicators is kept in sync with the real and active threat landscape. So, yeah, definitely leveraging custom threat intelligence within those solutions is how you can build upon its native capabilities and do more than what it's able to do alone. Now it's generating new alerts based upon that custom threat intelligence. Awesome. And then one last question. I know we're getting to the top of the hour, but I thought this was a good one. Just to answer, can you show how attackers chain vulnerabilities, credentials, and misconfigurations Totally. So I don't have a screen share on this webinar, but within the Recorded Future platform, we have our research center. So from the far left, you go to research, and that's where our insect group, which is Recorded Future's in house threat research team, that's where they're posting a lot of their flash reports, their finished intelligence, their technical analysis. You can look up any specific threat actor or even a vulnerability and get reporting on it, and often that reporting will include some of this kill chain information. So if you're maybe a more advanced threat intelligence user, if you click on the advanced query builder, you can build a query that looks for a source profile or a threat profile, which is a type of note from the insect group. If you're not, go to the research center. There's some filters looking for profiles. But within the profile, you'll find, like, the kill chain for a threat actor, and it will show you how you string along some of those those events and how those events don't just happen in isolation. Sometimes there's like a reconnaissance activity that happens before kind of an exploit activity. And the ability for you to actually put that together, you could even build like a simulation, a breach and attack simulation campaign. You could build some sort of adversary exposure validation campaign to see, like, hey. Are we actually, susceptible to the tactics and techniques of this specific threat actor, not down to the, like, o one TCP, but, actually, based upon this, the way that they launch their attacks, we we are also susceptible to that same that same string of attacks. So we do have kill chain information. We've got diamond models, and it's just about you kind of unpacking some of the more technical information under some of that research. Awesome. And then excuse me. One final comment is a positive comment just saying that wanna share with the group that we are using a generated vulnerability watch list from multiple sources, and it is a game changer. And we hear that across the board. So if we did not get to your questions in the chat, we'll follow-up or please reach out to your account team, and they will most likely have the answers for you as well. But, that covers it for us on our essential integration workflows webinar. Thank you so much for spending the time with us today. Kyle, thank you so much for walking through all of the workflows. Is there any closing notes that you'd like to add? Yeah. My my closing note is if there's anything you take away, any action that you're gonna do, it's go into our integration center and see what you have today that you could leverage and come up with a plan. Like, some of it really is as simple as just generating a token. Some of the documentation shows you exactly where to go in that solution to do that. But then if you don't have some of these techno rather, you have the technology, but we don't have the connector for it, Please reach out to your account team. Please reach out and say, hey. I just joined the integrations webinar. You know, I've got these three integrations, and these are the ones, you know, we wanna work together on connecting. But, actually, there's these, like, four others that I would be interested in. That really helps me gather more information about what we're gonna build next. So the more of you reach out and say that you want platform x and the more of you that reach out and say that you want platform z, the higher likelihood it is that you will see platform x and z show up in that integration center in the coming months. Awesome. Alright. Well, that covers it on our side. Again, the recording will be shared with you within twenty four hours, so keep an eye out for that. If there's any workflow that really resonated with you and you'd like to revisit, that will be available to you at whenever whenever you need to reference it. So, again, thank you so much for joining us, and we hope you have a great rest of your day. Bye, everyone. Thanks, everybody. Bye.