Listen to this Post

Introduction:
Security Operations Centers (SOCs) are drowning in alerts, yet starving for context. The gap between detecting an indicator and understanding its full attack chain is where threats slip through—and where analyst burnout takes root. ANY.RUN’s Threat Intelligence Lookup bridges this divide by transforming isolated indicators into actionable threat intelligence, enabling SOC teams to move from reactive triage to proactive, intelligence-led operations.
Learning Objectives:
- Understand how to enrich IOCs with behavioral context using a searchable threat intelligence database
- Master advanced search operators and over 40 query parameters for precise threat hunting
- Learn to integrate TI Lookup with existing SIEM, SOAR, and EDR workflows via API and SDK
- Apply AI-assisted search to accelerate investigations and reduce manual query construction
- Build detection rules and refine security controls based on real-world attack data
1. Threat Intelligence Lookup: The Core Concept
ANY.RUN Threat Intelligence Lookup is a searchable database that aggregates threat data from millions of malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox. With over 600,000 security analysts and 15,000 organizations contributing to the platform, it provides fresh, actionable intelligence on emerging threats. The service allows analysts to search across more than 40 parameters—including file hashes, domains, IPs, MITRE ATT&CK techniques, Suricata rules, YARA signatures, process fields, and registry logs.
Step‑by‑Step Guide: Getting Started with TI Lookup
- Access the platform: Navigate to intelligence.any.run and register for a free account. Free plan users receive 20 premium requests in TI Lookup and YARA Search.
-
Perform a basic IOC lookup: Enter a suspicious indicator—such as an IP address, domain, or file hash—into the search bar. The system returns matching sandbox sessions with detailed context.
-
Review threat context: Each result includes threat names, behavioral logs, network connections, registry modifications, and MITRE ATT&CK mappings.
-
Pivot to related artifacts: From a single indicator, explore connected infrastructure, malware families, and TTPs to understand the full attack chain.
-
Export and operationalize: Copy IOCs, create detection rules, or share findings with team members for faster incident response.
2. Mastering Search Operators for Precision Threat Hunting
TI Lookup supports logical operators (AND, OR, NOT) and grouping with parentheses, enabling analysts to build complex, precise queries. This transforms threat hunting from manual guesswork into systematic intelligence gathering.
Step‑by‑Step Guide: Building Advanced Queries
- AND operator: Combine multiple conditions. Example:
threatName:"xworm" AND submissionCountry:"us"—finds Xworm samples submitted from the United States. -
OR operator: Broaden your search. Example:
threatName:"ransomware" OR threatName:"locker"—returns results matching either threat type. -
NOT operator: Exclude unwanted results. Example:
threatName:"phishing" NOT submissionCountry:"ru"—finds phishing samples excluding those from Russia. -
Wildcards: Use “ for partial matches. Example:
domain:malware.com—finds all domains containing “malware”. -
Parameter‑specific searches: Target specific fields like
processName:cmd.exe,registryKey:Run, orsuricataSigId:2100498.
Linux/Windows Commands for IOC Enrichment:
Linux: Extract file hashes for TI Lookup submission sha256sum suspicious_file.exe md5sum suspicious_file.exe Windows PowerShell: Get file hashes Get-FileHash -Path C:\suspicious\file.exe -Algorithm SHA256 Get-FileHash -Path C:\suspicious\file.exe -Algorithm MD5 Linux: Extract domains from pcap for threat hunting tshark -r capture.pcap -T fields -e dns.qry.name | sort -u Windows: Query DNS cache for suspicious lookups ipconfig /displaydns | findstr "malicious"
- Integrating TI Lookup with SIEM, SOAR, and EDR
Operationalizing threat intelligence requires seamless integration with existing security infrastructure. ANY.RUN provides API and SDK access, allowing teams to automate submissions, enrich alerts, and feed fresh IOCs directly into SIEM, TIP, and XDR solutions.
Step‑by‑Step Guide: API Integration
- Obtain API credentials: From your ANY.RUN account dashboard, generate an API key for programmatic access.
-
Configure integration in your SIEM: For Cortex XSOAR, navigate to Settings > Integrations > Servers & Services, search for ANY.RUN, and click Add instance to create a new integration.
-
Automate IOC lookups: Use the API to submit indicators from alerts automatically. Example cURL command:
curl -X POST "https://api.any.run/v1/ti/lookup" \
-H "Authorization: Api-Key YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"indicator": "185.130.5.253", "type": "ip"}'
- Ingest TI Feeds: Subscribe to ANY.RUN Threat Intelligence Feeds to receive continuously updated IOCs with near‑zero false positives, directly into your SIEM or TIP.
-
Automate sandbox submissions: Use the SDK to automatically submit files and URLs to the Interactive Sandbox for dynamic analysis.
-
Create automated playbooks: In SOAR platforms, build workflows that trigger TI Lookup queries on alert generation, enriching tickets with threat context before analyst review.
4. AI‑Assisted Search: Natural Language Threat Intelligence
One of the most significant recent updates to TI Lookup is AI‑assisted search, which allows analysts to use natural language queries instead of manually constructing complex search strings.
Step‑by‑Step Guide: Using AI‑Assisted Search
- Describe what you’re looking for: In the TI Lookup search bar, type a natural language description. Example: “Show me recent ransomware samples that modify registry run keys”
-
Let the system translate: The AI automatically converts your request into a structured query with the correct parameters and wildcards.
-
Review and refine: Examine the results, then refine your natural language description to narrow or broaden the search.
-
Save time on query construction: This removes friction from the workflow, allowing analysts to run more queries in less time and get consistent results.
-
Combine with manual parameters: For advanced users, mix AI‑assisted search with manual parameter specification for maximum precision.
5. Building Detection Rules from Real Attack Data
TI Lookup doesn’t just help you investigate—it empowers you to build better defenses. By analyzing real malware behavior and TTPs, security teams can create or refine detection rules for SIEM, IDS/IPS, and EDR.
Step‑by‑Step Guide: Detection Engineering with TI Lookup
- Identify attack patterns: Use TI Lookup to find recent malware samples relevant to your industry or threat landscape.
-
Analyze behavioral indicators: Review sandbox session logs to understand process creation, registry modifications, network connections, and file system changes.
-
Extract IOCs and IOAs: Document Indicators of Attack (IOAs)—behavioral patterns like specific command-line arguments or registry key modifications.
-
Create Suricata/Snort rules: Based on observed network traffic patterns:
Example Suricata rule for C2 communication alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"Suspicious User-Agent observed in TI Lookup"; flow:to_server,established; http.user_agent; content:"CustomMalwareClient"; sid:2100498; rev:1; )
5. Develop YARA rules: From extracted file characteristics:
rule Suspicious_XWorm {
meta:
description = "Detects Xworm malware based on TI Lookup findings"
author = "SOC Team"
strings:
$s1 = "XWorm" wide ascii
$s2 = { 6A 00 68 00 30 00 00 }
condition:
$s1 or $s2
}
- Update SIEM correlation rules: Use observed TTPs to create correlation rules that link multiple low‑severity alerts into a high‑confidence incident.
-
Test and refine: Validate new rules against historical data and adjust based on false positive rates.
6. Threat Hunting: Proactive Search Across 50M+ Threats
Mature SOCs don’t wait for alerts—they hunt. TI Lookup enables proactive threat hunting by providing access to a database of over 50 million threats with in‑depth insights from sandbox investigations.
Step‑by‑Step Guide: Effective Threat Hunting
- Formulate a hypothesis: Based on threat intelligence reports or industry trends, develop a hypothesis about potential attacker behavior.
-
Search across parameters: Use TI Lookup’s 40+ parameters to test your hypothesis. Example: Search for `threatName:”Remcos” AND submissionCountry:”br”` to find Remcos samples submitted from Brazil.
-
Analyze TTP implementation examples: Each MITRE ATT&CK entry in TI Lookup contains implementation examples from real-world malware samples.
-
Track malware families: Access comprehensive threat profile pages with popularity trends, detailed descriptions, and the latest IOCs for each malware family.
-
Discover new attacks: Leverage expert research reports on active threats, complete with search queries, to improve threat monitoring and incident response.
-
Document findings: Share hunting results with the team and update detection rules based on discovered patterns.
What Undercode Say:
-
Context is the differentiator. IOCs without context are noise. TI Lookup transforms raw indicators into actionable intelligence by linking them to behavior, TTPs, and real attack chains. The ability to pivot from a single IP to full sandbox session logs, network traffic, and MITRE mappings is what separates mature SOCs from reactive ones.
-
Operationalized threat intelligence compounds over time. Every investigation strengthens detection, automation, and future response. When TI becomes embedded in daily SOC workflows—not as a separate tool but as an operational layer—the value multiplies with each use.
Analysis:
The shift from standard to mature SOC operations isn’t about buying more tools—it’s about operationalizing intelligence. Threat Intelligence Lookup exemplifies this by providing not just data, but context that analysts can act upon immediately. The free tier offering 20 premium requests lowers the barrier to entry, allowing teams of any size to test the impact of intelligence-led operations. The addition of AI‑assisted search further democratizes access, enabling junior analysts to perform complex queries without deep technical expertise. For security leaders, the key metric isn’t how much threat data you have—it’s how quickly you can turn that data into decisions that stop attacks.
Prediction:
- +1 SOCs that adopt intelligence-led operations with platforms like TI Lookup will reduce Mean Time to Respond (MTTR) by 40–60% within 12 months, as analysts spend less time on manual enrichment and more on active threat mitigation.
-
+1 AI‑assisted threat intelligence search will become the industry standard by 2028, eliminating the need for specialized query languages and enabling faster, more consistent investigations across all analyst skill levels.
-
-1 Organizations that fail to operationalize threat intelligence will continue to experience alert fatigue, analyst burnout, and delayed breach detection—widening the gap between mature and immature SOCs.
-
+1 The community‑driven model of threat intelligence sharing—with 600,000+ analysts contributing to a unified database—will accelerate collective defense, making it harder for adversaries to reuse TTPs across multiple targets.
-
-1 As adversaries increasingly adopt AI‑generated malware and zero‑day exploits, SOCs without real‑time behavioral intelligence will struggle to detect evasive threats that bypass signature‑based defenses.
-
+1 Integration of TI Lookup with SOAR platforms will enable fully automated incident response playbooks, where alerts are triaged, enriched, and escalated without human intervention—freeing analysts for high‑value threat hunting.
-
-1 The volume of threats will continue to outpace manual investigation capacity, making automation and intelligence integration not optional but essential for survival in the modern threat landscape.
▶️ Related Video (84% Match):
https://www.youtube.com/watch?v=4crNjxI74M8
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Upgrade Your – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


