Home > SOC Analysis

What is Threat Intelligence?

Threat Intelligence (TI) is the collection, analysis, and application of information about threats, adversaries, malicious infrastructure, and attacker behavior.
It provides SOC teams with actionable knowledge that helps them detect attacks earlier, respond faster, and prevent future compromises.

TI is not just raw data.
It becomes useful only when enriched, analyzed, validated, and applied to SOC workflows such as detection engineering, threat hunting, alert triage, and incident response.

This chapter explains threat intelligence in full-scale SOC depth, including types, sources, practical use, and real examples of how TI changes investigations.

Purpose of Threat Intelligence

Threat Intelligence enables SOC teams to:

  • Identify known malicious IPs, domains, hashes, URLs

  • Recognize attacker tools, malware families, and TTPs

  • Map attacker behavior to MITRE ATT&CK

  • Prioritize alerts using intelligence context

  • Detect new or emerging campaigns

  • Understand motivations and targets of threat groups

  • Enhance detection rules based on observed adversary techniques

  • Anticipate how attackers may evolve their methods

Threat Intelligence turns scattered threat data into actionable security knowledge.

Threat Intelligence Types

TI is divided into four major types that SOC analysts use daily.

1. Strategic Threat Intelligence

Strategic TI provides big-picture insights for leadership and long-term security planning.

Covers:

  • Global threat trends

  • APT activity

  • High-level risks

  • Geopolitical motivations

  • Industry-specific targets

Audience:

  • CISOs

  • Executives

  • Risk management teams

Example:

Healthcare sector facing increased ransomware targeting during Q2.

2. Tactical Threat Intelligence

Tactical TI focuses on attacker behaviors, specifically TTPs (Tactics, Techniques, Procedures).

It answers:

  • How attackers operate

  • What techniques they use

  • What tools they rely on

  • How attacks progress

Mapped using MITRE ATT&CK.

Example:

APT29 using T1059.001 (PowerShell) for execution and T1071 (Web C2) for command-and-control.

SOC analysts use tactical TI to build effective detection rules.

3. Operational Threat Intelligence

Operational TI gives information about ongoing campaigns, including:

  • Current attack methods

  • Active malware families

  • New attack infrastructure

  • Unfolding phishing campaigns

  • Threat actor targeting patterns

Example:

New campaign using RoyalRAT targeting finance companies in Asia.
Domains: secure-login-check[.]com, session-update[.]net

This helps SOC teams prepare for incoming threats.

4. Technical Threat Intelligence

Technical TI contains immediate, actionable indicators:

  • Malicious IPs

  • Malicious domains

  • File hashes

  • URLs

  • Malware signatures

Examples:

91.22.113.10 → Cobalt Strike C2
SHA256 → F33AC90D91… → LockBit dropper hash
download.php?id=421 → malware URL

These indicators integrate directly into SIEM, EDR, and firewall rules.

Threat Intelligence Sources

SOC teams gather TI from multiple places.

Internal Sources

  • SIEM alerts

  • EDR telemetry

  • Malware sandbox results

  • Incident investigation artifacts

External Sources

  • Threat feeds (open-source or paid)

  • ISAC/ISAO communities

  • Government CERT advisories

  • Vendor reports (Palo Alto, Mandiant, CrowdStrike)

  • GitHub IOCs from researchers

  • VirusTotal

  • Hybrid-Analysis

  • Malware sandboxes

  • Passive DNS databases

Human Intelligence

  • Community analysts

  • IR teams

  • Reverse engineers

Good TI combines technical indicators with behavioral insights.

How Threat Intelligence is Consumed in SOC

Threat Intelligence is not useful until it is applied.

Below is exactly how SOC analysts use it.

1. SIEM Correlation With Threat Feeds

Threat feeds inject malicious IPs/domains/hashes into SIEM.

Examples:

dest_ip IN threat_intel.feed
domain IN threat_intel.malicious_domains
hash IN threat_intel.hash_list

When logs match TI indicators, alerts fire immediately.

2. Alert Triage Enhancement

TI adds context to alerts.

Example:

Alert: Outbound connection to 91.22.113.10
TI: Known Cobalt Strike C2 active in Europe
Outcome: Escalate immediately

Without TI, this alert might look insignificant.

3. Threat Hunting

TI guides hunting hypotheses.

Example:

Hunt for T1059.001 (PowerShell) scripts used by APT41.

Hunters analyze:

  • PowerShell logs

  • Sysmon EventID 1

  • Encoded command patterns

4. Incident Response

TI helps IR teams:

  • Identify malware family

  • Understand attacker motives

  • Predict next steps

  • Prepare containment strategies

Example:

Malware hash matches QakBot sample.
IR knows QakBot later deploys ransomware.
Containment becomes urgent.

5. Blocking Decisions

TI directly influences:

  • Firewall block lists

  • DNS sinkholes

  • Proxy filters

  • EDR block rules

Example:

All outbound traffic to newly registered domains < 7 days old is blocked.

Threat Intelligence Lifecycle (How TI is Created)

TI follows a structured lifecycle:

  1. Collection
    Gather logs, IOCs, malware samples, threat feeds.

  2. Processing
    Normalize, deduplicate, categorize, enrich.

  3. Analysis
    Determine meaning, relevance, severity.

  4. Dissemination
    Deliver intelligence to SOC tools/audiences.

  5. Feedback
    Improve TI accuracy based on SOC feedback.

This lifecycle ensures TI is reliable, current, and actionable.

Real Examples of Threat Intelligence in Action

Example 1 — Malicious Domain Lookup in DNS Logs

DNS log:

query: checkin-control-sync.net

TI says:

  • Domain belongs to malware family: PlugX

  • Active in targeted attacks last week

  • Requires immediate escalation

SOC can respond instantly.

Example 2 — Outbound to Suspicious IP

Firewall log:

DST=185.22.44.11

TI identifies:

  • C2 of a banking trojan

  • Seen in current phishing wave

Analyst escalates → host isolated.

Example 3 — File Hash Match

Sysmon:

Hash=FF39A...2C → matches LockBit ransomware loader

This immediately classifies the incident as high-severity.

Example 4 — Email Phishing Attempt

Email log:

From: security-microsoft@supportoffice-login[.]net

TI identifies the domain as part of an active global phishing campaign.

Analyst Workflow Using Threat Intelligence

  1. Receive alert

  2. Check IP/domain/hash reputation

  3. Enrich with threat feed context

  4. Correlate with logs

  5. Identify malware family or threat actor

  6. Determine severity

  7. Decide escalation path

  8. Apply detection/hunting queries

  9. Update rules with new IOCs

  10. Document intelligence impact

TI accelerates and strengthens every investigation.

Intel Dump

  • Threat Intelligence provides actionable data about attackers, infrastructure, malware, and campaigns.

  • TI comes in four types: strategic, tactical, operational, and technical.

  • SOC uses TI for SIEM correlation, alert triage, threat hunting, and incident response.

  • TI sources include logs, threat feeds, sandbox results, intel platforms, and vendor research.

  • Effective TI must be enriched, analyzed, and applied—raw data alone is not intelligence.

  • TI enables faster detection, deeper investigations, and better defense against evolving threats.

HOME LEARN COMMUNITY DASHBOARD