Port Six

Threat Intelligence Use Cases

Overview

Port Six threat intelligence integrates seamlessly into your security operations workflow. Whether you're building automated defenses, investigating incidents, or conducting threat hunts, our platform provides the context you need to make faster, more informed decisions.

1. SIEM Integration & Automated Enrichment

Problem

Your SIEM generates thousands of alerts daily from firewall logs, IDS/IPS, EDR, and other security tools. Analysts spend hours manually pivoting to threat intelligence platforms to check if observed IPs and domains are malicious.

Solution

Automatically enrich every external IP and domain in your logs with real-time threat intelligence. Convert raw logs into actionable alerts by correlating against our comprehensive threat intelligence.

Implementation

# Splunk SPL - Enrich firewall logs
| search dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16
| dedup dest_ip
| map maxsearches=1000 search="| rest /services/search/external/lookup     url=https://api.portsix.io/api/v1/ip/$dest_ip$ auth=YOUR_KEY | eval enriched_ip=dest_ip"
| where risk_score > 60
| stats count by dest_ip, risk_score, threat_intel.tags

Benefits

  • Reduce alert fatigue: Only surface high-risk connections
  • Faster response: Know immediately if a connection is C2, phishing, malware distribution
  • Automated blocking: Push malicious IPs to firewall blocklists
  • Risk-based prioritization: Focus on critical severity threats first

Real-World Example

A financial services SOC processes 50,000 firewall events per hour. By enriching external connections with Port Six, they reduced manual investigation time from 4 hours/day to 30 minutes/day while catching 3x more true threats.

2. Threat Hunting

Problem

Threat hunting requires pivoting across multiple tools and data sources. Hunters need to quickly determine if infrastructure is malicious, identify related infrastructure, and understand threat actor campaigns.

Solution

Use Port Six to rapidly pivot from a single indicator to a complete threat actor infrastructure map. Our relationship API enables hunters to discover connected domains, IPs, and malware samples.

Hunting Workflow

# 1. Suspicious domain observed in DNS logs
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/domain/suspicious-domain.com"
# Returns: risk_score=85, threat_intel.tags=["behavior:c2", "malware:cobalt-strike"]

# 2. Get C2 infrastructure feed for preemptive blocking
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/c2?limit=1000"
# Returns: Active C2 servers with risk scores

# 3. Search for related indicators using the malware family tag
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/observables/search?query=cobalt-strike&limit=100"
# Returns: All indicators tagged with Cobalt Strike

# 4. Check network logs for any historical connections
grep -E "(185.220.101.45|104.21.34.12)" /var/log/firewall.log

Benefits

  • Rapid pivoting: Go from single indicator to full campaign infrastructure in seconds
  • Preemptive defense: Block entire C2 networks before they're used against you
  • Historical correlation: Search logs for any past connections to threat infrastructure
  • Attribution: Understand which threat actors are targeting your organization

Real-World Example

A threat hunter discovers a suspicious domain in DNS logs. Using Port Six, they identify it as Cobalt Strike C2, pull the C2 feed to get all known Cobalt Strike infrastructure, block it preemptively, and discover 2 other compromised workstations that had previously connected to the infrastructure.

3. Incident Response

Problem

During incident response, every minute counts. Responders need instant answers about indicators to determine scope, containment strategy, and root cause.

Solution

Enrich every indicator in your incident timeline with threat intelligence in real-time. Understand malware families, threat actor TTPs, and MITRE ATT&CK techniques immediately.

IR Workflow

# Scenario: EDR alerts on suspicious process execution

# 1. Hash of dropped executable - check threat intel
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/hash/44d88612fea8a8f36de82e1278abb02f"
# Returns: risk_score=85, threat_intel.tags=["malware:emotet", "behavior:trojan"]

# 2. C2 IP observed in network connections
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/ip/185.220.101.45"
# Returns: risk_score=78, threat_intel with tags, first_seen, last_seen

# 3. Get full C2 feed to block all known infrastructure
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/c2?limit=10000"
# Returns: All active C2 servers for preemptive blocking

# 4. Search for other Emotet indicators
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/observables/search?query=emotet&limit=100"
# Returns: All indicators associated with Emotet malware

Benefits

  • Instant context: Know what you're dealing with in seconds, not hours
  • Scope determination: Identify all related infrastructure to find other victims
  • Containment guidance: Block all C2 infrastructure, not just initial indicator
  • Root cause analysis: Understand delivery mechanism and initial access vector

Real-World Example

A healthcare organization detects ransomware encryption activity. Using Port Six, IR team immediately identifies the malware family (REvil), finds 3 C2 servers to block, discovers the initial access was via phishing domain (also in Port Six), and contains the incident to 1 workstation instead of network-wide encryption.

4. Perimeter Defense & Automated Blocking

Problem

Firewalls and web proxies can only block threats they know about. Traditional blocklists are reactive and outdated by the time they're published.

Solution

Continuously sync malicious infrastructure to your perimeter defenses. Block C2 servers, phishing domains, and malware distribution sites before they're used in attacks against you.

Implementation

#!/bin/bash
# Automated blocklist sync for Palo Alto firewall

# 1. Fetch C2 infrastructure from feeds
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/c2?limit=10000" \
  -o /tmp/c2_ips.json

# 2. Extract IPs with high risk scores
jq -r '.indicators[] | select(.risk_score > 70) | .value' /tmp/c2_ips.json > /tmp/blocklist.txt

# 3. Upload to Palo Alto External Dynamic List
scp /tmp/blocklist.txt firewall:/var/log/pan/edl/portsix_c2_blocklist.txt

# 4. Force policy update
ssh firewall "request system external-list refresh name portsix_c2_blocklist"

# 5. Run daily via cron
# 0 */6 * * * /usr/local/bin/sync_portsix_blocklist.sh

Benefits

  • Proactive defense: Block threats before they reach your network
  • Always up-to-date: New threats added in real-time
  • Reduced attack surface: Prevent phishing, malware downloads, C2 communications
  • Multi-layered: Deploy to firewalls, proxies, DNS, EDR

Real-World Example

A manufacturing company syncs Port Six C2 infrastructure to their firewall every 6 hours. Over 3 months, they blocked 847 C2 connection attempts from workstations compromised by supply chain software containing malware.

5. SOC Dashboard & Metrics

Problem

Security leadership needs visibility into threat landscape: What threats are targeting us? How effective is our defense? What's our mean time to detect/respond?

Solution

Build executive dashboards showing real-time threat metrics enriched with Port Six intelligence. Demonstrate security value with quantified threat prevention.

Sample Metrics

  • Threats blocked: Count of malicious connections prevented
  • Threat breakdown: Malware families, C2 infrastructure, phishing attempts
  • Attack timeline: When threats were first observed globally vs. when they appeared in your logs
  • Geographic threat distribution: Countries originating malicious traffic
  • MITRE ATT&CK coverage: Which techniques were observed and blocked

Dashboard Query Examples

# Get current C2 threat landscape
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/c2?limit=100"

# Get phishing threats
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/phishing?limit=100"

# Cross-reference with firewall logs (SQL example)
SELECT fl.dest_ip, p6.risk_score, COUNT(*) as connections
FROM firewall_logs fl
JOIN portsix_threat_data p6 ON fl.dest_ip = p6.value
WHERE fl.timestamp > NOW() - INTERVAL '30 days'
GROUP BY fl.dest_ip, p6.risk_score
ORDER BY p6.risk_score DESC, connections DESC
LIMIT 10

Real-World Example

A retail CISO presents quarterly metrics showing Port Six integration prevented 12,000 malicious connections, blocked 47 phishing campaigns before any employees clicked, and reduced incident response time by 73%. This justifies security budget increase.

6. Compliance & Reporting

Problem

Compliance frameworks (PCI-DSS, HIPAA, SOC 2, ISO 27001) require demonstrable threat intelligence integration and proactive threat management.

Solution

Use Port Six audit logs and metrics to demonstrate:

  • Integration of threat intelligence feeds (PCI-DSS Requirement 5.4)
  • Automated malicious traffic blocking (HIPAA Security Rule 164.312)
  • Incident detection and response procedures (SOC 2 CC7.3)
  • Regular security monitoring and log review (ISO 27001 A.12.4.1)

Compliance Artifacts

Use the dashboard to export usage data for compliance documentation:

  • API Usage Logs - Total queries, endpoints accessed, timestamps
  • Threat Data Retrieved - IPs, domains, hashes looked up
  • Response Headers - Each API response includes X-Credits-Used for audit trails
  • Feed Sync Logs - Document automated blocklist updates
# Example: Log API responses for audit trail
curl -i -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/c2?limit=100" \
  >> /var/log/portsix_audit.log

# Response headers provide audit data:
# X-Credits-Used: 10
# X-Request-ID: abc-123
# Date: Mon, 30 Jan 2026 12:00:00 GMT

Real-World Example

A SaaS company passes SOC 2 Type II audit by demonstrating Port Six integration in SIEM, showing monthly threat intelligence reports, and providing audit logs of all threat detections and blocking actions over the audit period.

7. Email Security & Phishing Defense

Problem

Email gateways see thousands of URLs and domains daily. Determining which are phishing or malware distribution requires real-time threat intelligence.

Solution

Enrich every URL and domain in emails with Port Six before delivery. Block phishing campaigns and malware distribution in real-time.

Implementation

# Email gateway integration
# Extract all URLs from email
urls=$(extract_urls_from_email "$email_body")

# Enrich each domain
for domain in $urls; do
  threat_data=$(curl -s -H "X-API-Key: $API_KEY" \
    "https://api.portsix.io/api/v1/domain/$domain")

  risk_score=$(echo "$threat_data" | jq -r '.risk_score // 0')

  if [ "$risk_score" -gt 60 ]; then
    tags=$(echo "$threat_data" | jq -r '.threat_intel.tags // []')

    # Quarantine email
    quarantine_email "$email_id" "High-risk domain detected: $domain (score: $risk_score)"

    # Alert security team
    send_alert "Phishing attempt blocked: $domain - tags: $tags"
  fi
done

Benefits

  • Zero-hour phishing protection: Detect brand new phishing domains
  • Malware prevention: Block emails with malware distribution links
  • Reduced user exposure: Catch threats before they reach inboxes
  • Campaign visibility: Identify coordinated phishing campaigns

Real-World Example

A legal firm integrates Port Six with Microsoft 365 email filtering. Over 6 months, they block 234 phishing emails that Microsoft's default filtering missed, preventing 3 credential theft attempts and 1 ransomware delivery.

8. Vulnerability Management Integration

Problem

Vulnerability scanners identify thousands of CVEs, but not all are exploited in the wild. Security teams need to prioritize remediation based on active exploitation.

Solution

Cross-reference your CVEs with Port Six to identify which vulnerabilities have active exploits, associated malware, or are being targeted by threat actors.

Prioritization Workflow

Use Port Six threat feeds to identify which external IPs connecting to your network are associated with known exploitation activity:

# Get C2 infrastructure that may indicate active compromise
curl -H "X-API-Key: $API_KEY" \
  "https://api.portsix.io/api/v1/feeds/behavior/c2?limit=1000"

# Cross-reference with your vulnerability scanner results
# Priority scoring approach:
# - Critical: Asset has high-CVSS vuln AND is connecting to known C2
# - High: Asset is connecting to any threat infrastructure
# - Medium: Asset has exploitable vuln but no suspicious connections

Note: CVE and MITRE ATT&CK enrichment endpoints are coming soon.

Benefits

  • Risk-based patching: Fix actively exploited vulnerabilities first
  • Threat context: Understand which threat actors exploit each CVE
  • Detection guidance: MITRE ATT&CK mappings for detection rules
  • Reduced remediation backlog: Focus on real threats, not theoretical risk

Real-World Example

An enterprise has 2,400 high/critical CVEs from vulnerability scans. Using Port Six CVE intelligence, they identify 43 with active exploitation and 12 targeted by APT groups relevant to their industry. They patch these 55 first, reducing real-world risk by 80% in 2 weeks instead of 6 months.