Oracle Cloud Infrastructure Threat Intelligence aggregates threat intelligence data across many different sources and manages this data to provide actionable guidance for threat detection and prevention in Oracle Cloud Guard and other Oracle Cloud Infrastructure services. This service provides insights from Oracle security researchers, our own unique telemetry, open source feeds such as abuse.ch and Tor exit relays, and third-party partners.

Malicious actors often use known techniques to attack target environments. Contextual information about the threats found in an environment, such as associated threat types, threat actors, and geolocations, can help you detect malicious activities, prioritize alerts, and assess the environment's security posture.

To learn more about the threat indicators provided by Threat Intelligence, see the database.

To monitor for threat indicators, you must enable Cloud Guard in the tenancy. Cloud Guard provides threat detections using Threat Intelligence data.

Integration with Cloud Guard

You can use Threat Intelligence and Cloud Guard together to detect and respond to potential threats.

  • Cloud Guard compares data from Threat Intelligence to the Audit logs and telemetry to detect and report suspicious activity. To learn more, see Monitoring Threats.

    To enable Cloud Guard in the tenancy, see Getting Started with Cloud Guard.

  • Threat Intelligence provides detailed information about the detected threat's indicators, including the indicator type, threat type, confidence score, and geolocation.

To add a Threat Detector Recipe to an existing Cloud Guard target, see Modifying Recipes Added to a Target.

For a complete list of problems reported by the Cloud Guard threat detector recipe, and the types of sightings, see Detector Recipe Reference.

Responding to Detected Threat Indicators

After using Cloud Guard or another tool to identify a security threat indicator in Threat Intelligence, confirm and remediate the potential threat.

  • Use Threat Intelligence to get more information about the detected threat indicator, including the description, threat type, confidence score, and geolocation. See Searching for Threat Indicators.
  • If the threat was detected in Cloud Guard, use Cloud Guard to help resolve the threat and run a responder, if applicable. See Processing Reported Problems.
  • Use Oracle Cloud Infrastructure Vulnerability Scanning Service to check that compute instances and container images have the latest security updates. See Scanning Overview.
  • Review the concepts and best practices in the Oracle Cloud Infrastructure Security Guide. See Securing Your Tenancy.

Resource Identifiers

Threat Intelligence resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).

For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Ways to Access

You can access Threat Intelligence using the Console (a browser-based interface), the command line interface (CLI), or the REST API. Instructions for the Console, CLI, and API are included in topics throughout this guide.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You are prompted to enter your cloud tenancy, your user name, and your password.

For a list of available SDKs, see SDKs and the CLI. For general information about using the APIs, see REST API.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups, compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, policies control who can create users, create and manage a VCN (virtual cloud network) , launch instances, and create buckets .