* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* The Art of Automation: Cr...

# The Art of Automation: Creating Threat Intelligence Bots in the Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F03%2Fcloud-threat-intelligence-bot%2F)  
[](https://twitter.com/share?text=The+Art+of+Automation%3A+Creating+Threat+Intelligence+Bots+in+the+Cloud&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F03%2Fcloud-threat-intelligence-bot%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F03%2Fcloud-threat-intelligence-bot%2F&title=The+Art+of+Automation%3A+Creating+Threat+Intelligence+Bots+in+the+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/03/cloud-threat-intelligence-bot/&ts=markdown)  
\[\](mailto:?subject=The Art of Automation: Creating Threat Intelligence Bots in the Cloud)  
Link copied  
By [Ronald Eddings](https://www.paloaltonetworks.com/blog/author/ronald-eddings/?ts=markdown "Posts by Ronald Eddings")  
Mar 13, 2020  
6 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[30 Days of Cloud](https://www.paloaltonetworks.com/blog/tag/30-days-of-cloud/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[threat intelligence](https://www.paloaltonetworks.com/blog/tag/threat-intelligence/?ts=markdown)

Scaling assets and applications in the cloud creates a degree of complexity that often leads to misconfigurations and vulnerabilities. With this increased complexity, other process issues begin to surface, such the need for a collaborative space to share threat intelligence information and lessons learned, or an audit trail of actions taken during the investigation.

Automations are often created by both team members and product vendors to alleviate some of these issues. I've worked with exceptional analysts and engineers who have successful processes and techniques powered by custom-built scripts and applications to make their lives easier. For instance, a security analyst may create Python scripts to format and transform data to more easily comprehensible information. However, custom tools are often difficult to leverage at scale due to limited compute and/or inability to access and launch cloud functions. Additionally, custom tools often lack a friendly user interface.

By taking these automations and combining them with modern chat interfaces and existing tools, we can combat these issues. For example, creating a Slack bot can assist by inviting users to a collaborative space and sharing relevant information about an alert or incident.

In this post, I'll explore how to scale automation efforts with a focus on threat intelligence, leveraging [Cortex™ XSOAR](https://www.paloaltonetworks.com/blog/2020/02/cortex-xsoar/) to ingest alerts from security controls and to automate reports for analysts. Additionally, I'll show how Slack can be used as a collaborative space that automatically invites team members and provides alert context.
![This graphic compares legacy infrastructure and modern cloud infrastructure. The lefthand side of the graphic covers the evolution of security architecture, and the righthand side covers ChatOps.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/03/legacy1.png)
Fig1: Comparison of legacy infrastructure and modern cloud infrastructure.

## **Automated Bots**

The image below describes common goals and use cases where an automated bot can assist. Each of these use cases requires different contextual information for responding to the event types. For example, email headers, email subject and email body are artifacts that can expose threats to users. Additionally, analysts often leverage threat intelligence data sources to determine if the threat has been previously identified.
![Case Study: Threat Intelligence. This graphic illustrates goals and use cases where a cloud threat intelligence bot can assist. Goals: Keep pace with rapidly scaling cloud environment, automatate everything that humans don't need to do, provide value to other technology departments. Use cases: EC2 and account compromise, phishing enrichment and response, cryptocurrency mining](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/03/image5.png)
Fig 2: Use cases where a Cloud Threat Intel Bot can assist

Threat intelligence data is contextual information that may provide details about the **who, what, when and where** of an attack. Using this data could assist with making informed decisions when answering security questions and responding to events.

Threat intelligence doesn't guarantee success when responding to these events, but it can serve as a great data source for analysts and engineers. There are also information sharing groups called Information Sharing and Analysis Centers (ISACs) that your organization may be eligible to join. These groups can serve as a great source when retrieving context about an attack or event seen by companies in the same industry.

Today, leveraging threat intelligence and coupling it with alert data comes with challenges. More specifically, few case-management platforms support storing data gathered from alerts and threat intelligence. This creates challenges pivoting from data point to data point and coupling it with alerts from our data sources. By documenting analyst tradecraft, playbooks can be created that facilitate the delivery of threat intelligence to analysts. Delivering this information in a common workspace such as Slack enables organizations to enrich data on demand while displaying a log of analyst actions and chats.

## **Creating a Threat Intelligence Bot**

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/03/image4.png)
Fig 3: How a Cortex XSOAR playbook powers bot logic

For the following examples, Cortex XSOAR will be leveraged to ingest alerts from cloud applications and threat intelligence sources and orchestrate bot logic via a playbook.

As alerts are generated and threat context is provided, opportunities begin to emerge for rapid response and remediation. The delivery of alert data and threat intelligence context is facilitated by the Cortex XSOAR playbook and sent to a collaborative workspace or war room, such as Slack. An organization could also use other chat services such as Microsoft Teams or Discord.

As an example, phishing campaigns send mass emails to as many users as possible. This threat may be reported by several users or applications. As duplicate or related events are seen by Cortex XSOAR, our threat intelligence bot can provide correlated event information and the option to block malicious indicators on demand. For more sensitive events such as malware outbreaks, analysts may want to enrich threat data with specific threat intelligence sources to avoid tipping the attacker that an investigation is ongoing. The playbook then controls our threat intelligence bot logic and selectively enriches threat data based on an analyst response.

Another common threat that cloud applications are exposed to is cryptocurrency mining. When this threat emerges, response strategies need to be implemented immediately. This often includes blocking malicious IP addresses and reprovisioning cloud applications. To avoid analyst burnout and error, simple tasks can be performed via our threat intelligence bot. For example, the playbook in figure 3 contains an optional path for blocking IP addresses at the firewall.
![This screenshot shows examples of how a threat intelligence bot would appear when providing threat intelligence.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/03/ThreatIntel1.png)
Fig 4: Threat intel provided by a bot

Depending on the context of the alert and threat intelligence supplied, specific analysts and engineers are required to collaboratively respond to events. As mentioned, automation often assists with this investigation phase. Additional logic can be implemented in our playbook to invite users on demand and restrict access to a Slack channel when sensitive information is contained within an investigation.

## **When to Use a Threat Intelligence Bot**

In summary, as organizations migrate and onboard services and applications to the cloud, managing and responding to alerts can become increasingly difficult. Automation can assist with responding and mitigating security events generated from applications and users. Leveraging chat services such as Slack can assist with creating an interface for automation tools that were previously difficult to interact with, while providing an audit trail of events that transpire during an investigation. Pairing automation and Cortex XSOAR can enable organizations to create an interactive war room that assists analysts during each phase of their investigation.

Go more in-depth on threat intelligence bots -- check out [Ron's on-demand session, "Creating Threat Intel Bots in the Cloud,"](https://wcc.on24.com/webcast/previewlobby?e=2182571&k=60B4FD1E638B386D2A85CE1914AACCAF) from our recent Cloud Native Security Summit.

*** ** * ** ***

## Related Blogs

### [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Cyberint and Cortex XSOAR - Extending Automated Digital Risk Protection](https://www2.paloaltonetworks.com/blog/security-operations/cyberint-cortex-xsoar-extending-automated-digital-risk-protection/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Call for Papers for Ignite 2020: Share Your Cybersecurity Expertise](https://www2.paloaltonetworks.com/blog/2020/08/call-for-papers-ignite-2020/)

### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Block COVID-19 Phishing Emails at Machine Speed](https://www2.paloaltonetworks.com/blog/2020/07/cortex-phishing-emails/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Bringing High-Fidelity Threat Intelligence to Prisma Cloud](https://www2.paloaltonetworks.com/blog/2020/07/cloud-autofocus-prisma-integration/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Security 2021: 4 Key Trends You Shouldn't Miss](https://www2.paloaltonetworks.com/blog/2020/04/cloud-security-2021/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### 5 Reasons Why Threat Intel Management Needs to SOAR!](https://www2.paloaltonetworks.com/blog/2020/03/cortex-threat-intel-management/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language