Before understanding use cases, it's useful to know what Envoy is. This page lists some concrete use cases for Envoy, but the possible use cases are much broader than what we cover.
Targeted threat intelligence queries
At a bare minimum, Envoy can be used to make specific queries about IPs, hosts, md5sums, and check if they are part of the threat intelligence platform.
This can be part of an ongoing investigation about a specific threat, or threat hunting and checking for suspicious activity.
The queries can be run from the web profile, or by accessing the API using various tools. The only requirement to run API calls is to include with the query the API Key, which is visible in the Envoy web profile.
Enrich SIEM with threat information
Envoy can be made part of the SIEM infrastructure by providing the threat context for a specific IP, hostname, hash.
The supported SIEM platforms are: HP ArcSight, Splunk, Elastic Search, IBM QRadar, McAfee Enterprise Security Manager.
Because it runs on a high performance infrastructure, Envoy can be used to directly query for threat information, and made part of the investigation process already built inside a SIEM.
Integration with internal application and mobile devices
The API allows for integration of threat information into already-built internal applications in your company. Because the API is vendor independent, it can be easily integrated to provide threat information to these applications.
Similarly, mobile applications can include threat data to expand their reach and provide additional features to the users.