DOING THREAT INTEL THE HARD WAY - PART 5: ANALYZE THREAT INTELLIGENCE

 The Analyst work flow must provide a repeatable process to analyze the output of the integrations you have created in the previous steps. 

For example, if the SIEM determines that a server is communicating with a known botnet command and control domain, your analyst must be notified in some fashion (on screen prompt, email, SMS, IM, etc.). 

The analyst must then evaluate the collected information and take appropriate action based on the information’s accuracy.

 If the analyst determines that the notification is not valid, they should then document their findings for future reference and move on to the next analysis. If the analyst verifies that the notification is correct, they should begin a formal set of incident response steps. source