With the cloud technologies, i think one can slowly come to the conclusion that IOCs should not be relied only !
Bad actors can move of source IP so easily and the fact that all Threat Intelligence do their own lists, there is a great discrepancy in the lists.
I’ll show you an example.
Here are the logs of my home Firewall. You can see some many IP addresses trying to scan my SSLVPN.
Now let’s look up of few of those IP addresses. One can easily see that most each list has different IPs and known bad scanners and only one IP was 13 list but the rest is much lower !