Take a tour of Intelligence in the Sekoia AI SOC platform
With AI-assisted insights, guided investigations, and seamless collaboration, Sekoia helps teams cut through complexity and stay ahead of fast-moving threats.
Sekoia Intelligence provides threat intelligence to help organizations stay ahead of cyberthreats. The platform contains strategic, tactical, and technical intelligence modeled in STIX 2.1 format. It includes proprietary intelligence reports (FLINTs) used by European public and private organizations. The platform covers malware with contextualized information including associated indicators of compromise (IoCs) and threat actors. It contains thousands of attack campaigns with associated context such as threat actors and IoCs. All CTI objects in Sekoia Intelligence are fully contextualized and linked to associated objects. The platform uses STIX 2.1 patterning to standardize relationships between different objects. For malware analysis, the platform provides a telemetry engine that shows if malware and associated IoCs have been detected in user security logs or logs of Sekoia.io customers, indicating threat seasonality. Malware pages include sources used for qualification, intelligence reports mentioning the malware, Kill Chain and MITRE contextualization, and descriptions. The threat context section displays all intelligence objects associated with malware including threat actors, campaigns, IoCs, and TTPs. For indicators of compromise, the platform provides validity dates with default expiration periods (1 month for IP addresses, 25 years for file hashes) to ensure ready-to-detect IoCs. Each IoC is linked to its associated threat to facilitate detection understanding and hunting activities. For intrusion sets, the platform uses agnostic attribution and displays all aliases from other CTI teams. It includes sources used for qualification, latest reports mentioning the intrusion set, full contextualization and description, and complete STIX 2.1 modelization. Users can visualize intrusion set attributions, malwares, CVEs, TTPs, known victimology, and associated IoCs with export capabilities for threat hunting. The intelligence database is searchable and filterable for specific threat objects including IoCs, malwares, campaigns, and threat actors. Objects include intelligence directly related to cyber threats. Observables correspond to technical artifacts observed during investigations, such as lists of public DNS known to analysts. Sekoia Intelligence uses proprietary intelligence sources and integrates intelligence from over 450 external sources, each qualified with a trustworthiness level. The IoC Collections feature consolidates IoCs into one centralized location, supporting use cases like inter-CERT sharing or access to IoCs from other intelligence providers. Users can import IoCs using CSV/XLS files or text fields. Context can be added to custom IoCs including related threats and expiration dates, and collections can be exported. Graph Exploration allows users to create graphical representations for threat investigations, including malware investigations to visualize context and relationships with other objects like campaigns and TTPs. The platform supports operationalization through multiple dissemination options to third-party security systems. Intelligence can be integrated into SIEMs for detection and hunting, SOARs for enrichment and incident response, Threat Intelligence Platforms to add intelligence sources, and security devices like EDRs and firewalls for additional indicators. Integrations use Sekoia.io applications on vendor marketplaces, TAXII connectors for STIX transportation, MISP connectors, or API access. The Feed feature allows users to filter intelligence to select specific perimeters for consumption, such as selecting only IPv4 and IPv6 for firewalls, file hashes for EDRs, or intelligence from specific sources.
