"Share Knowledge"

SOC Analyst Day -19

Published by

Share Knowledge

on

Day 19 – Threat Intelligence (TI) Basics + IOC Feeds + TI Platforms

Today your students learn how SOC analysts use Threat Intelligence to detect and block threats faster.
This is a core SOC skill and very important for interviews.

🧠 1. What Is Threat Intelligence?

Threat Intelligence = Information about bad IPs, domains, malware, and attacker behavior.

TI tells SOC analysts:

  • Which IPs are malicious
  • Which domains are used in attacks
  • Which malware is trending
  • What to block immediately
  • How to investigate alerts faster

🔥 2. Types of Threat Intelligence

1️⃣ Tactical TI

Practical IOCs used daily:

  • IPs
  • Domains
  • URLs
  • File Hashes
  • Malware names
  • C2 servers

Used by: L1 SOC Analysts

2️⃣ Operational TI

Details about:

  • Attack campaigns
  • Malware families
  • TTPs (attack techniques)

Used by: L2/L3 SOC, IR team

3️⃣ Strategic TI

High-level insights for management:

  • Trends
  • Targeted industries
  • Risk forecasts

Used by: CISOs, leadership

📁 3. What Are IOCs (Indicators of Compromise)?

IOC TypeExample
Malicious IP185.220.101.1
Malicious Domainsecure-login-office365.com
File Hashmd5: 44d88612fea8…
URLhxxp://badsite[.]com
User Agentpython-requests/2.25

SOC analysts use IOCs to search in SIEM.

🌐 4. Top Threat Intelligence Platforms

✔ VirusTotal

  • Check file hashes
  • Check IP/domain reputation
  • Sandbox results

✔ AbuseIPDB

  • IP reputation database

✔ AlienVault OTX

  • Free threat feeds

✔ IBM X-Force

  • Malware + IP intelligence

✔ Cisco Talos

  • Threat insights

✔ MISP

  • Open-source threat sharing platform

✔ Microsoft Defender TI

  • Enterprise-grade threat intel

🔍 5. IOC Search in Splunk (Very Easy)

Search IP:

index=* 185.220.101.1

Search Domain:

index=* "secure-login-office365.com"

Search Hash:

index=* "44d88612fea"

Search URL:

index=* "/login"

🔄 6. Threat Intelligence + MITRE

TI can identify:

  • Phishing domains → T1566
  • Brute force IPs → T1110
  • Malware hashes → T1059
  • C2 servers → T1071

🛠 7. Day 19 Hands-On Lab

Task 1 – IP Reputation Lookup

Students pick one IP and check:

  • VirusTotal
  • AbuseIPDB
  • OTX

Task 2 – IOC Search in Splunk

Search for:

  • Malicious IP
  • Bad domain
  • File hash

Task 3 – Create an IOC Enrichment Query

Example:

index=* IpAddress=* 
| lookup threat_feed ip OUTPUT reputation
| table IpAddress reputation _time

Task 4 – Build a TI Dashboard Panel

Example query:

index=* threat=high 
| stats count by IpAddress

🎤 Trainer Script

Say this:

“Threat Intelligence makes SOC faster.
Instead of investigating blindly, we use IOCs to instantly know if an IP or domain is malicious.”

📝 Homework (Day 19)

Students submit:

  1. One IP + reputation
  2. One domain + reputation
  3. One IOC search in Splunk
  4. MITRE mapping

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

in learning you will teach and in teaching you will learn

~ Phil Collins

"Share Knowledge"

About

A passionate to teach Technical skills.

Topics

Follow Us

Blog at WordPress.com.

Design a site like this with WordPress.com
Get started