< Back
Enhancing Cyber Defence with Threat Intelligence in CSOC

Tags:

TCS BELUX TCS BELUX newsletter Detect and respond
24 September 2025

Enhancing Cyber Defence with Threat Intelligence in CSOC

Preamble

In the fast-paced world of cybersecurity, SOC (Security Operations Centre) analysts are on the frontlines, working tirelessly to protect organisations from an ever-growing list of digital threats.

Cyber Threat Intelligence (CTI) is an essential part of this defence, providing analysts with the insights they need to detect and respond to attacks efficiently and facilitating ongoing learning from cyberattacks to transition from a reactive to a proactive approach.

For L1 and L2 analysts, this Cyber Threat Intelligence Feed-XLM directly into their daily operations, helping them stay ahead of cyber adversaries. Here’s how we integrate threat intelligence into our workflow and why it’s so crucial.

Introduction

At its core, threat intelligence involves the collection, analysis, and use of information related to potential or ongoing cyber threats. In an SOC environment, this process includes ingesting Indicators of Compromise (IoCs) into threat intelligence (CTI) systems to enrich detection capabilities, while Indicators of Attack (IoAs) are leveraged to develop use cases and identify suspicious behaviours through detection and analysis tools, often with automated workflows to streamline response.

▪️ Indicators of Compromise (IoCs): These are artefacts or evidence suggesting a system has been compromised, such as IP addresses, domains, URLs and hashes. For example, a suspicious IP address involved in exfiltrating data or a domain associated with a botnet’s C2 server.

▪️ Indicators of Attack (IoAs): These are behaviours or patterns indicating a potential or ongoing attack, such as unusual login attempts, abnormal network traffic spikes, or suspicious file modifications.

Additionally, we work with Techniques, Tactics, and Procedures (TTPs), which describe the methods attackers use, as outlined in frameworks like MITRE ATT&CK and the link between the CTI and TTPs is crucial for understanding attacker behaviours and building effective defences.

Cyber Threat Intelligence Feed-XLM: The Daily Update

Threat intelligence is constantly evolving. Each day, we receive updated feeds with new IoCs from a variety of sources, including forensic analysis data for our customers, security vendors report, various CSIRT teams, and community platforms like MISP (Malware Information Sharing Platform) and Phishing sharing platforms, along with hundreds of other external resources.

Cyber Threat Intelligence Feed-XLM is integrated into our SIEM (Security Information and Event Management) systems, enabling us to detect potential attacks in real time.

One key benefit of this process is the ability to use IoCs from one client (sharing) to help protect others. When one client is targeted, we leverage the threat intelligence gained from that incident to safeguard another. It’s like learning from someone else’s misfortune; what harms one can prevent an attack on another.

Eyeguard-Lens part of Cyber Threat Intelligence Feed-XLM offering: All-in-One Threat Intelligence Tool

Why search across multiple platforms when Eyeguard-Lens consolidates everything into one user-friendly interface? Integrating external sources like VirusTotal, URLAbuse, AbuseIPDB, and WHOIS with internal CTI, Eyeguard-lens offers a comprehensive threat intelligence overview on a single page. This aggregation streamlines the process, making it quicker and more efficient for SOC teams to access critical data. It includes the DNS/Passive DNS feature; we will see it in the next point.

In the Thales SOC, Eyeguard-Lens is essential for evaluating the reputation of URLs and Ips and identifying potential malicious activity. Its ability to visualise relationships between IPs and connected domains enhances incident analysis and response. By providing detailed analysis of Indicators of Compromise (IoCs), including malicious IPs and domains linked to cyber threats, Eyeguard-Lens improves decision-making and boosts SOC efficiency.

DNS & Passive DNS: Tracking Historical Data

Another critical component of threat intelligence is DNS and Passive DNS data. Passive DNS essentially serves as a historical record of how domain names have resolved to specific IPs over time. This allows us to track when a domain was first and last seen, as well as the IP addresses it is associated with.

By integrating this data with tools like TCS-CERT passive DNS, we can improve our ability to monitor domain activity and detect suspicious behaviour. The TCS-CERT passive DNS tool not only stores DNS data from customers but also incorporates OSINT to assist in retrohunting Indicators of Compromise (IoCs), phishing detection, and alert triage.

For example, when a user accesses a domain, TCS-CERT passive DNS retrieves information about the destination IP from various sources, such as proxy or DNS logs. This gives us a clearer picture of the domains being accessed across different networks, helping us identify potentially malicious connections and other security threats.

The Customer Hits card provides valuable insights by tracking the number of hits made by SOC customers based on Passive DNS (PDNS) data. This feature is crucial for identifying emerging threats and understanding the attack patterns that might affect different clients.

Threat Hunting: Because hunting for threats is more thrilling than a treasure hunt!

It's the proactive process of searching through logs to identify suspicious or malicious activities that might have bypassed automated detection rules or use cases.

The goal is to spot patterns, unusual behaviours, or hidden threats that traditional alerts may have missed, especially advanced or stealthy attacks. Threat hunters analyse logs from sources like network traffic, endpoint events, and authentication logs, looking for anomalies or indicators of compromise (IoCs) that could reveal an undetected attack.

Retro Hunting: The Threat Hunting package's blast from the past - catching the threats that thought they could escape

Not all threats are detected in real time. Sometimes, it’s necessary to look back at historical data to uncover previously missed threats, a process known as retro hunting. Our internal tool is designed specifically for this purpose. When a new IoC is identified, we scan past activity to check for any prior hits on customer networks. If a match is found, it triggers an alert, allowing us to address the threat retroactively.

Retro hunting is particularly useful because IoCs are often received after an incident has occurred. By reviewing telemetry data without adding extra load to our SIEM systems, we can catch threats that might have slipped through the cracks.

Last summer, through proactive retro hunting, we identified a user attempting to purchase tickets for the 2024 Olympics on a phishing page. We promptly reached out to the client, verified if any transaction had been completed, and ensured no personal information was compromised.

Conclusion

Threat intelligence is a vital part of daily operations for L1 and L2 SOC analysts. It allows us to detect, investigate, and respond to cyber threats more effectively by leveraging real-time data and retroactive analysis to stay one step ahead of attackers. Tools like Eyeguard-lens, TCS-CERT passive DNS and Threat Hunting provide crucial insights into the nature of these threats, from identifying malicious IPs and domains to analysing TTPs. By integrating Cyber Threat Intelligence (CTI) into our SIEM systems and constantly updating our feeds, we ensure that no threat goes unnoticed, and no client is left unprotected.

In this ever-changing battlefield, information truly is the best defence.

Quote request

Discover more on this topic

cards image

Beyond the SOC as a detection center: holistic cybersecurity operations in the coming age
cards image

What is threat Hunting ?

cards image

Cyber Threat Intelligence Ep 2 - Nicolas talking about the Context and Strategy office