What’s the recipe for an efficient SOC operation? Security analysts, whose job is to provide unshakeable resolve in the face of advanced cyberthreats? Or the XDR platform they use to make their response impactful?
Whatever it is, without threat intelligence, neither the person nor their tool of choice would be powerful enough to ward off a ransomware attack by a malicious actor. For it is the intelligence itself—the tools, IoCs, TTPs, and more—that enable a direct, immediate, and appropriate response. But what if you keep receiving too much raw data in your feeds? What if you’re missing key details in detections that could prove imperative for an effective response, a response that would have otherwise been provided by a more curated experience?
Triage less and act with confidence. The right intelligence delivers strictly pertinent information with your context in mind. Otherwise, it’s a burden that creates too many assumptions and too little action.
Key points of this article:
- Intelligence is a key driver of SOC workflows when defending against advanced attacks.
- The key defining trait of modern threat intelligence is its ability to seamlessly slot into mature SOC operations without disrupting the existing tools in use.
- Good intelligence offers context, i.e., depth and rich metadata, giving background to detections through verified research and guiding informed action.
- This context is what sweeps away the ambiguity inherent in particular detections, such as potentially unwanted apps or crimeware, saving analyst time by directly addressing telemetry patterns.
How integrations define the modern threat intelligence experience
What are today’s mature defenders looking for in a modern cyber threat intelligence (TI) platform?
Mature SOCs probably already have multiple platforms in use. They’ve invested years into turning SIEM pipelines into SOAR playbooks (or they should), have running TIP automations, have various endpoint workflows, and more. Replacing any single one of these is unrealistic as well as imprudent. But they do want more efficiency and resilience to safeguard the certainty of their response.
Perhaps TI can do that—with a caveat. Security analysts want more evidence, more unique telemetry, and broader visibility, but then they also need to integrate it into their existing systems. TI works best when analysts barely notice it’s there because it’s already woven into their workflow: “The best threat intelligence makes good teams stronger, and the strongest teams choose intelligence that integrates where it matters the most. Good integrations aren’t celebrated; they’re relied on,” added Wolf Schumacher, Vice President of Global Partnerships and Alliances at ESET.
Usually, analysts require TI to flow directly into their MISP server, platforms like ThreatConnect, QRadar, Splunk, Microsoft Sentinel, Cortex XSOAR and other custom internal systems. The catch is that for this to happen, intelligence needs to be obtained in standard formats, such as STIX, JSON, CSV, URLs, hashes, and the like, not proprietary schemes that hold data hostage.
“In other terms, good intelligence doesn’t ask the SOC to come to it; it goes where the SOC already is,” commented Schumacher, “If you’re an intelligence provider, you shouldn’t compete with what a SIEM, TIP, or SOAR already does. If you already generate valuable intelligence, you should, in fact, be able to integrate with them all instead, which is exactly what ESET does.”
It makes sense. Applying TI needs to be smarter, not harder.
Less triage more action
If intelligence needs to work for a SOC, why then do many providers collect indicators and just forward them along? Defenders know that raw data isn’t enough to work off of in threat response. An IP or a hash without context is a riddle. But riddles take time to unpack, slowing down analysts—and being slow in cybersecurity is dangerous.
Clarity is, in this case, achieved via depth of detail: knowing why a particular detection matters, how an errant system process behaves, what it relates to, and what it might lead to next.
We asked ESET Director of Threat Research Jean-Ian Boutin for more insight: “This is why behind-the-scenes work matters so much: the heavy lifting of processing, enriching, correlating, clustering, and dissecting the samples that appear in telemetry. When threat intelligence is supported by long-term research and disciplined analysis, indicators stop being dots on a page and start becoming patterns—patterns that help SOC teams make decisions with speed and confidence,” he said.
In essence, for defenders, this depth proves to be a force multiplier, turning an intelligence feed into understanding and, ultimately, action.
Where attacks begin
Ask any analyst about the most frustrating part of threat hunting, and they’ll talk about the gray zone: the space between clearly malicious malware and clearly benign administrative tools. This is where things like potentially unwanted applications (PUAs), vulnerable drivers, and benign remote management tools dwell.
And this is also where many intrusions quietly begin. PUAs, for example, are difficult to categorize, and it’s more about the conditions they create rather than what they can do on their own. PUAs can easily evade detection when bundled with other software, modify system settings, collect user data, and open pathways to more dangerous threats.
For instance, dual‑use applications like various RMM platforms are legitimate administrative tools, but they’re frequently misused by threat actors. Adversaries routinely leverage them for unauthorized remote access, lateral movement, and persistence. This creates significant detection challenges: It is inherently difficult to determine when an RMM tool is being used appropriately by IT staff versus maliciously by an intruder. It’s this zone of ambiguity in which bad actors like to operate.
Incident responders spend a significant portion of their time triaging borderline artifacts. Is this tool safe? Is this utility part of normal IT operations? Has it been abused before? These are just some of the questions they constantly ask themselves, and removing their need to ask these dead-end queries could make a measurable difference.
Unfortunately, security in this area still needs to catch up. Most endpoint security or XDR platforms fail to detect malicious RMM operations due to this ambiguity, and a remarkable number of TI providers barely touch PUAs. They classify them inconsistently or treat them as low‑priority debris.
PUA intelligence with real expertise behind it
Still, there are ways to comb the debris field. There’s a reason some SOC teams rely heavily on ESET’s dedicated PUA intelligence feed: because PUA detection is only possible when you’ve spent decades studying these tools—where they come from, how they evolve, and how they’re abused.
ESET’s long history of tracking PUAs can have an immediate pay off for defenders by offering:
- Better distinction between benign and malicious use: Analysts can save time by avoiding false alarms on tools that pose no real risk.
- Clear signals on utilities tied to intrusion patterns: Instead of noise, teams receive indicators that align with known abuse cases.
- Early detection of pre-ransomware behavior: The first sign of a breach is often a “legitimate” tool in an illegitimate context.
- Support for policy enforcement: Security teams gain visibility into which tools simply should not be there, regardless of whether they’re currently active.
In an environment in which attackers hide behind ambiguity, clarity is power, and it is exactly what the mature ESET TI PUA intelligence feed delivers.
Making PUA intelligence work
Let’s say that a SOC notices a remote admin tool installed on a workstation. No alert fired. Nothing obviously malicious is running. But the tool’s hash appears in a specialized PUA feed that has repeatedly been correlated with affiliate-operated ransomware crews.
That’s all the SOC needs to know.
With that single insight, analysts can escalate the case, investigate lateral movement, and potentially stop a larger intrusion before it begins. By classifying dual‑use tools accurately and consistently, it narrows the gray zone and frees teams to focus on the events that matter.
eCrime Intelligence: Another brick in the wall
Crimeware is yet another area that needs clarity and quick action. ESET eCrime Reports describe exactly that: sharp, concise intelligence on the criminal crews, tools, and ecosystems driving today’s attacks. They don’t just list groups. They show how affiliates work, how infostealer operations evolve, and how attackers earn their money.
Subscribers also get real examples from the field and specific recommendations they can act on. And because each report includes a fully integrable feed, defenders don’t just learn about threats—they can operationalize the intelligence inside their existing stack from day one.
Intelligent intelligence integrations: The quiet advantage that pays daily
Intelligence on its own presents an advantage, but it wouldn’t be so powerful without integrating smoothly with other platforms and products. When intelligence flows directly into a SIEM, TIP, SOAR, or Open XDR, defenders get:
- Faster detection and incident correlation
- Cleaner playbook execution with fewer manual lookups
- Smoother investigations and resulting prioritization
Good TI shouldn’t be overwhelming to process. It shouldn’t add more dashboards, demand new workflows, or insist on being the center of a security analyst’s universe. For a SOC, time is precious, attention is finite, and every extra click is a tax on performance.
