LSI Learn Splunk India Threat intelligence

Concepts

Threat intelligence, demystified.

Threat intelligence is knowledge about attackers — who they are, what they target, and how they operate — turned into something a SOC can act on. Done well, it sharpens detections and speeds up decisions. Done badly, it is a feed of stale indicators nobody reads. This guide explains the difference.

Levels

Strategic, operational, tactical

Strategic

  • The big picture for leaders.
  • Which threats matter to your industry and region.
  • Informs budget and priorities, not daily alerts.

Operational

  • Insight into specific campaigns and actor methods.
  • Helps a SOC anticipate how an attack may unfold.
  • Bridges strategy and the technical detail.

Tactical

  • The concrete artefacts: addresses, hashes, domains.
  • Feeds directly into detections and blocklists.
  • Most perishable — goes stale quickly.

Why levels matter

  • Each audience needs a different altitude.
  • Giving a CISO raw hashes, or an analyst only strategy, both fail.
  • Match the intelligence to the decision it supports.

A key distinction

Indicators versus behaviour

Indicators of compromise — a malicious IP, a file hash, a bad domain — are easy to match but easy for attackers to change. Block one address and they use another by lunchtime. Behavioural intelligence describes how an attacker works: the techniques they reuse even when the specifics change. Behaviour is harder to detect but far more durable.

Mature SOCs use both. Indicators give quick wins; behaviour-based detection, often mapped to a framework like MITRE ATT&CK, catches the attacks that swap out their indicators. When you build detections, ask which kind you are writing and how long it will stay useful.

The lifecycle

How intelligence is produced

1. Direction Decide what questions matter to your organisation.
2. Collection Gather data from feeds, reports, and your own incidents.
3. Processing Clean and structure it so it is usable.
4. Analysis Turn data into judgements an analyst can act on.
5. Dissemination Deliver it to the right people in the right form.
6. Feedback Learn what helped and refine the next cycle.

In practice

How it plugs into a SIEM

In a platform like Splunk, tactical intelligence is often loaded as lookups or threat feeds. Searches then compare live events against those lists — for example, flagging any connection to a known-bad domain. The danger is volume: an unfiltered feed creates noisy, low-confidence alerts. Good practice is to weight indicators by confidence and recency, and to pair them with behavioural detections so you are not relying on lists alone.

Threat intelligence connects naturally to automated response. See SOAR explained for how confirmed indicators can trigger action, and the cyber kill chain for a model of how attacks progress.