Home > SOC Analysis

Threat Feeds

Threat feeds are continuous, automated streams of threat intelligence containing indicators such as malicious IPs, domains, URLs, file hashes, malware signatures, and behavioral patterns.
They supply the SOC with real-time, external visibility into known threats so analysts can detect attacks early, enrich alerts instantly, and block malicious infrastructure before it reaches internal systems.

This chapter explains threat feeds in full-depth SOC style, including feed types, ingestion methods, validation techniques, enrichment workflows, and real-world examples.

What Threat Feeds Provide

Threat feeds deliver the following indicator types:

  • Malicious IP addresses

  • Malicious domains

  • Malicious URLs

  • File hashes (MD5/SHA256)

  • SSL certificate fingerprints

  • Malware family signatures

  • C2 servers

  • Phishing infrastructure

  • DGA domains

  • Tor exit nodes

  • Botnet networks

  • Threat actor indicators

Feeds transform threat intelligence into machine-readable data the SOC can use immediately.

Why Threat Feeds Matter for SOC

Threat feeds allow the SOC to:

  • Detect known threats in SIEM and EDR

  • Enrich alerts with severity and context

  • Block malicious endpoints automatically

  • Prioritize high-risk alerts

  • Track active campaigns

  • Correlate incidents with threat actor activity

  • Identify attack patterns in early stages

Threat feeds multiply SOC visibility beyond internal logs.

Types of Threat Feeds

Threat feeds are divided into categories based on source, structure, and purpose.

1. Open-Source Threat Feeds (OSINT Feeds)

Free, community-driven, constantly updated.

Examples:

  • AlienVault OTX

  • Abuse.ch (URLHaus, Feodo Tracker, MalwareBazaar)

  • PhishTank

  • Spamhaus

  • CIRCL.lu

  • Emerging Threats (ET Open)

  • OpenPhish

Use cases:

  • IOC enrichment

  • SIEM correlation

  • Identifying malware domains

  • Tracking botnets

2. Commercial Threat Feeds (Paid Feeds)

Premium, highly curated, enterprise-grade intelligence.

Examples:

  • CrowdStrike

  • Recorded Future

  • Palo Alto Unit42

  • FireEye/Mandiant

  • Anomali

  • Cisco Talos

  • Check Point ThreatCloud

Use cases:

  • High accuracy threat intel

  • Attribution to threat groups

  • Detailed TTP-level intelligence

  • Automated blocking

  • SOC-level enrichment

These feeds reduce false positives dramatically.

3. Government & CERT Threat Feeds

Provided by government security agencies.

Examples:

  • US-CERT

  • CERT-In (India)

  • Europol EC3

  • NCSC (UK)

  • JPCERT

Use cases:

  • Critical infrastructure alerts

  • Sector-specific threats

  • Rapid war/geo-political threat context

Government feeds often alert about nation-state activity.

4. Industry-Specific Feeds (ISAC Feeds)

Sector-specific intelligence sharing communities.

Examples:

  • FS-ISAC (Financial)

  • H-ISAC (Healthcare)

  • MS-ISAC (State/Local Gov)

  • Oil & Gas ISAC

Use cases:

  • Targeted industry campaigns

  • Sector-specific threats

  • Vertical domain intelligence

These are crucial for high-risk industries.

5. Internal Threat Feeds (Enterprise-Specific)

Created from internal SOC data.

Examples:

  • Malware hashes from internal incidents

  • Blocked IPs from firewall logs

  • DNS queries linked to internal compromises

  • Indicators pulled from forensic analysis

Use cases:

  • Improving SIEM detection

  • Building local threat models

  • Correlating repeating internal patterns

Internal feeds strengthen defenses against repeated attacks.

Threat Feed Formats

Threat feeds come in structured formats for automation:

  • STIX

  • TAXII

  • JSON

  • CSV

  • OpenIOC

  • MISP format

These formats integrate directly into SIEM, EDR, and SOAR.

How Threat Feeds Are Integrated into SOC Tools

1. SIEM Integration

SIEM automatically ingests threat feeds and matches logs against indicators.

Examples:

domain IN threat_intel.domains
dest_ip IN threat_intel.c2_ips
hash IN threat_intel.malware_hashes

If a match occurs → high-severity alert.

2. EDR / XDR Integration

EDR uses feeds to block:

  • Known malware

  • Known bad domains

  • Suspicious PowerShell command patterns

Example:

Block hash=F71AC3... (Emotet Loader)

3. Firewall Integration

Firewalls use threat feeds to:

  • Block C2 IPs

  • Block malicious TLDs

  • Block newly registered domains

  • Block TOR nodes

4. DNS & Proxy Integration

DNS filtering uses threat feeds to:

  • Sinkhole malware domains

  • Prevent phishing access

  • Block DGA-based domains

Proxy uses feeds to:

  • Block malware downloads

  • Block malicious file types

Validating Threat Feeds (SOC Requirement)

Not all feeds are equal. Analysts must validate:

  • Accuracy

  • Freshness

  • Noise level

  • Overlap with known campaigns

  • Threat actor attribution

  • Behavior patterns

Too many unfiltered feeds → high false positive rate.

Using Threat Feeds for Investigation

Below are practical SOC techniques.

1. IOC Enrichment

Alert:

Outbound to 91.22.113.10

Threat feed says:

  • Cobalt Strike C2

  • Active in APT29 campaigns

  • Associated with ransomware

Result:

  • Immediate escalation

  • Host isolation

2. Correlation Across Multiple Feeds

Domain:

sync-update-login.net

Check:

  • OpenPhish → phishing domain

  • OTX → part of AsyncRAT campaign

  • SpamHaus → malicious

  • VirusTotal → seen in 10 malware samples

Conclusion:

  • Highly malicious

  • Start IR

3. Campaign Identification

Threat feed reveals:

LockBit using new C2 domains since last week.

SOC checks internal logs for those domains.

4. Automatic Blocking Decisions

If feed shows:

IP used for ransomware distribution

SOC blocks it across:

  • Firewall

  • EDR

  • Proxy

  • DNS

5. Threat Hunting

Threat feed lists:

Fresh IOCs for QakBot.

Hunting query:

process_name:powershell AND domain IN qakbot_feed

Threat Feed Problems & Analyst Responsibilities

Threat feeds are powerful but imperfect.

Common Challenges:

  • High false positives

  • Outdated indicators

  • No context or behavior

  • Overlapping feeds

  • Too many low-quality sources

Analysts must:

  • Validate feeds

  • Reduce noise

  • Mark feed reliability

  • Tune SIEM rules

Blind trust in threat feeds is dangerous.

Real SOC Case Study

Scenario: Firewall Alert for Outbound Connection

DST=45.155.204.57

Threat feed results:

  • OTX → part of APT41 infrastructure

  • VirusTotal → 20 detections

  • URLHaus → distributing .NET dropper

  • GreyNoise → NOT noise

Outcome:

  • Host isolated

  • Lateral movement checks begin

  • MITRE mapping created

Threat feed → instant escalation path.

Intel Dump

  • Threat feeds are continuous streams of IOCs such as IPs, domains, hashes, and URLs.

  • Feeds come from OSINT, commercial vendors, CERTs, ISACs, and internal investigations.

  • They integrate with SIEM, EDR, firewalls, DNS filters, and proxy systems.

  • Analysts use feeds for enrichment, detection, threat hunting, and automated blocking.

  • Feeds must be validated for accuracy and context to prevent false positives.

  • High-quality threat feeds boost SOC detection, speed analysis, and improve incident response.

HOME LEARN COMMUNITY DASHBOARD