Ember ThreatInt
Real-time threat intelligence from 20+ open-source feeds integrated into every shift.
Ember ThreatInt
Ember ThreatInt is the built-in threat intelligence window in the SOC Workstation. It aggregates data from over 20 open-source threat intelligence feeds, providing real IOC lookups during your shift. No synthetic data. Real threats. Real feeds.
How It Works
During a shift, any IOC you encounter in SIEM, XDR, or Firewall alerts can be looked up in Ember ThreatInt. The window queries aggregated threat feeds and returns known intelligence about the indicator, including associated malware families, threat actors, confidence scores, and first/last seen timestamps.
IOCs from active threat feeds are also woven into the shift's alert generation. When you see a suspicious IP address in a SIEM alert, there is a real possibility that the same IP appears in a recent abuse.ch or blocklist feed -- because it was sourced from one.
Feed Sources
Ember ThreatInt pulls from the following open-source threat intelligence providers:
| Category | Sources |
|---|---|
| Malware & Botnets | abuse.ch URLhaus, abuse.ch MalBazaar, abuse.ch ThreatFox, abuse.ch Feodo Tracker |
| IP Reputation | Blocklist.de, CINS Army, Emerging Threats, DShield |
| Domain Intelligence | PhishTank, OpenPhish, DNS-BH Malware Domain List, CyberCrime Tracker |
| Hash Intelligence | MalwareBazaar, VirusTotal (external link), Malware Hash Registry |
| Threat Actor Tracking | MISP default feeds, AlienVault OTX pulse data |
| Community Feeds | GitHub-hosted IOC repositories, OSINT community blocklists |
Feeds are refreshed regularly to reflect current threat landscape data.
IOC Lookup Workflow
To look up an indicator in Ember ThreatInt:
- Right-click any IOC in a SIEM, XDR, or Firewall alert and select Open in Ember ThreatInt.
- Alternatively, switch to the Ember ThreatInt window and paste or type the indicator into the search bar.
- Results display as a summary card showing:
- Feed matches -- Which feeds flagged this indicator and when
- Threat classification -- Malware family, campaign name, or threat actor if known
- Confidence score -- Aggregated confidence across all matching feeds
- First seen / Last seen -- Temporal context for the indicator
- Related IOCs -- Other indicators associated with the same campaign
VirusTotal Integration
For hash and domain lookups, Ember ThreatInt provides a direct Open in VirusTotal link. This opens the VirusTotal report in a new tab for additional analysis, including vendor detection ratios, behavioral analysis, and community comments.
VirusTotal links open externally and do not require a VirusTotal account for basic lookups. For detailed behavioral reports, a free VirusTotal account is recommended.
IOCs in Shift Alerts
The alerts generated during your shift incorporate real IOCs from these feeds. This means:
- IP addresses in attack scenarios may appear in current blocklists
- Domains used in phishing alerts may match active PhishTank entries
- File hashes in malware alerts may have MalwareBazaar entries
This integration ensures that the threat intelligence skills you develop in training directly transfer to production SOC work, where checking indicators against threat feeds is a fundamental part of the triage workflow.