Security operations centers (SOCs) are inundated with thousands of alerts every day. Sorting through this noise to identify real threats quickly and accurately is one of the most critical — and challenging — tasks for security analysts. This process, known as alert triage, is the first line of defense in protecting an organization from cyberattacks.
But how can SOC teams make faster, better-informed decisions during triage? The answer lies in adding context, and that’s where Threat Intelligence Lookup comes into play.
Why Alert Triage Matters — and Why It’s Hard
Alert triage is essential to prioritize threats, reduce false positives, and initiate timely incident response. However, SOC analysts often face several key challenges:
- Alert fatigue: High volumes of alerts can overwhelm teams, leading to missed threats or burnout.
- Lack of context: Alerts frequently lack the background needed to understand their relevance or risk.
- Manual effort: Analysts must often pivot between multiple tools and sources to gather context, slowing down decision-making.
These challenges can delay detection and response — or worse, cause real threats to slip through unnoticed.
How Threat Intelligence Adds Context
Threat intelligence provides the background SOC analysts need to make sense of an alert. When a suspicious IP, domain, hash, or URL appears in an alert, intelligence helps answer key questions:
- Has this indicator been seen in past attacks?
- Is it associated with known malware or threat actors?
- What tactics, techniques, and procedures (TTPs) are typically linked to it?
This additional layer of insight transforms a generic alert into a more actionable item. Analysts can assess the true severity of an alert and respond accordingly, without wasting time on benign noise.
Practical Example with Threat Intelligence Lookup
ANY.RUN’s Threat Intelligence Lookup is a powerful solution designed to quickly provide SOC analysts with real-time and historical context on IOCs. It aggregates data from over 500,000 analysts’ malware analysis sessions offering a searchable database of threat indicators, including IPs, domains, file hashes, and more. It provides immediate IOC lookups, detailed information on malware families, campaigns, and threat actors, and direct access to related samples and behavioral analysis from ANY.RUN’s Interactive Sandbox.
3 Steps from IOC to Informed Decision
1. Alert Investigation for Immediate Reaction
A SOC receives an alert about a suspicious domain gapi-node[.]io, flagged by a monitoring system. Analysts use ANY.RUN’s Threat Intelligence Lookup to query the domain.
Domain name serach results with a Malicious verdics
This lets us see that the domain has been flagged as malicious and linked to recent campaigns of Lumma stealer, so it should be blocked from the network.
ANY.RUN’s Birthday Offer for SOC Teams Until May 31
Take advantage of ANY.RUN’s Special offers:
- TI Lookup: Get a plan with 100 or more search requests, and ANY.RUN will double your request quota for free.
- Interactive Sandbox: Grab extra licenses as a gift.
2. Threat Research for Full Picture
The search also returns contextual data, including:
- Related IOCs, such as IP addresses and URLs used in the attack; mutexes found in the malware.
- Malicious processes and TTPs involving the domain.
Lumma’s processes found via TI Lookup
In our case, it is contacting a server suspected of hosting an CnC:
One of the malicious processes in detail
- Links to sandbox sessions showing the anatomy and behavior of the malware the domain is related to.
Lumma samples containing the initial domain
Now, besides the domain, analysts have a number of other IOCs that help to detect Lumma, can be used to tune firewalls and EDR systems, and be starting points for further research.
3. Behavioral Analysis for Targeted Responce
To understand the threat comprehensively, analysts access ANY.RUN’s Interactive Sandbox via the Threat Intelligence Lookup results.
A sandbox analysis session: view connections, files, requests, processes, IOCs, and more
Analyzing the Lumma malware sample reveals:
- The full attack chain, including C2 communications, file downloads, and data theft attempts, observed in real-time.
- Additional IOCs, such as malicious IPs or domains, which are extracted automatically.
- Behavioral insights like registry changes and network activity, aiding in response and mitigation strategies.
This detailed view enables SOC teams to develop countermeasures, such as isolating affected systems, updating detection rules, and notifying users to reset compromised credentials.
This unified workflow — from domain to malware to attack chain — highlights the value of ANY.RUN’s Threat Intelligence Lookup. It turns a vague alert into a complete threat profile in minutes, giving SOC teams the insight they need to act fast and with confidence.
Conclusion
Alert triage doesn’t have to be a guessing game. By integrating Threat Intelligence Lookup into their workflow, SOC teams can enrich alerts with actionable context in seconds. ANY.RUN makes it easy to go from an isolated indicator to a full picture of the threat — accelerating investigation, improving decision-making, and ultimately reducing risk.
L
Join our LinkedIn group Information Security Community!
