# Threat Intelligence Operations and TIP Usage One-sentence definition: Curate, score, and operationalize intel (IOCs/TTPs) via a Threat Intelligence Platform. ## Key Facts - Sources: commercial, ISACs, open, internal incidents; de-duplicate and score. - Map intel to ATT&CK; create detections; expire stale indicators. - Feedback loop: what intel produced detections/blocks; ROI. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose curated, scored intel over raw feed dumping. **Mnemonic:** “**Collect**, **correlate**, **convert**.” ## Mini Scenario Q: IOC feed floods SIEM—what improve? A: TIP scoring/expire; selective deployment; TTP-based rules. ## Revision Checklist - Two intel sources. - Scoring purpose. - Lifecycle step. ## Related [[Use Case and Detection Engineering Lifecycle]] · [[MITRE ATT&CK Mapping for Testing]] · [[Security Operations Center (SOC) Fundamentals]] · [[Breach and Attack Simulation (BAS) Use Cases]] · [[Domain 7 - Index]]