How To Make Use of Unstructured Data in SOC Detection Workflows

Security operations have become increasingly proficient at using structured threat intelligence to enrich alerts, and accelerate investigation and threat hunting workflows. Threat intelligence platforms have largely automated the process of collecting, extracting and normalizing intel from structured data sources. But a significant amount of intelligence available today is still shared through blogs, advisories and research articles, which requires tedious manual processes to make it usable by SIEM and SOAR tools. Researchers and practitioners have been working on challenges related to extracting unstructured intelligence and making it useful for a variety of use cases. For those interested in this topic and are looking for a starting point I have created a brief list of blogs, projects and presentations covering different approaches and related NLP methods. This is not meant to be a long list of articles - it is meant to be a starting point that can help you drill down further.

Frameworks like STIX and Mitre ATT&CK offer an intermediary translation step between unstructured intelligence and machine usable intelligence. Advances in NLP and deep learning techniques will also spur new ideas and approaches to solving this problem. As new work comes to light I will keep adding to this list - and always happy to get recommendations from you!