Create and manage Threat Intelligence Feeds

Updated
  • Updated on Aug 13, 2025
  • Published on Aug 5, 2025
  • 4 minute(s) read
Prev Next

Customers can create and import threat intelligence feeds from various sources, including STIX TAXII servers, STIX JSON files, other file types (CSV, JSON, TXT, STIX), URLs, or empty feeds for custom repositories. These feeds enable automation, organization, and integration with security tools to provide actionable intelligence and proactive threat management.

Overview of Feed creation options

Creating a feed allows you to organize, analyze, and share threat intelligence data in a standardized format. Each feed creation method serves specific use cases:

  • STIX TAXII Server Feed: Automates and prioritizes threats using a standardized, shareable format for integration with threat intelligence platforms.

  • STIX JSON File Feed: Organizes and connects threat data with other tools, enabling analysis of threat evolution and relationships.

  • File-Based Feed (CSV, JSON, TXT, STIX): Ideal for simple analysis, quick reference, or integration with tools supporting direct file imports. Supports historical analysis, predefined datasets, and offline data use.

  • URL-Based Feed: Provides real-time, dynamic threat intelligence for integration with platforms like SIEM or other security tools.

  • Empty Feed: Acts as a personal live repository for manually adding threat intelligence indicators as needed.

Process for creating a Feed

  1. Navigate to the platform homepage, select Threat Intelligence Management, and then select All Feeds.

  2. From there, choose Create New Feed and select the appropriate feed creation method from the dropdown menu.

Create a Feed linked to a STIX TAXII server

This method automates threat prioritization and provides actionable intelligence in a standardized, shareable format.

  1. Select From TAXII 2.1 from the Create New Feed dropdown.

  2. Complete the Create a TAXII 2.1 Feed form:

    1. Feed Name: Enter a name for your feed.

    2. Feed Type: Select the type of feed from the dropdown.

    3. Vendor: Enter the vendor name.

    4. Description (Optional): Add a description of the feed.

    5. Server URL: Enter the TAXII server URL.

    6. Authorization: Select the authorization type from the dropdown.

    7. API Roots: Select Load API Roots, then choose the TAXII server from the dropdown.

    8. Collection: Select a feed to link to from the dropdown.

  3. Select Create.

Use Case: Ideal for organizations needing automated, standardized threat intelligence to discover patterns and act proactively.

Create a Feed with a STIX JSON file

This method organizes threat data, connects it with other tools, and supports analysis of threat evolution and relationships.

  1. Select From File from the Create New Feed dropdown.

  2. Complete the form:

    1. Feed Name: Enter a name for your feed.

    2. Feed Type: Select the type of feed from the dropdown.

    3. Vendor: Enter the vendor name.

    4. Tag (Optional): Select + Add Tag, enter a tag name, and choose it from the dropdown to identify observables across feeds.

    5. File: Choose Select a File, then choose a STIX JSON file from the file explorer.

  3. Select Create.

Use Case: Ideal for users looking to organize and share structured threat data, as well as analyze threat relationships.

Create a Feed from a file (CSV, JSON, TXT, STIX)

This method is suited for simple analysis, quick reference, or integration with tools supporting direct file imports.

Supported File Types:

  • CSV: For sharing and storing data.

  • JSON: Text-based format for storing and exchanging data.

  • TXT: Plain text for unformatted data.

  • STIX: Structured format for sharing CTI.

Important: Ensure the file’s columns correspond to the represented data.

Benefits:

  • Historical Analysis: Store historical threat data to investigate trends, attack behaviors, and evolving threats.

  • Predefined Datasets: Use datasets like malware samples or IP address lists for regulatory analysis.

  • Offline Data: Access data in scenarios with limited or no internet connectivity.

  1. Select From File from the Create New Feed dropdown.

  2. Complete the form:

    1. Feed Name: Enter a name for your feed.

    2. Feed Type: Select the type of feed from the dropdown.

    3. Vendor (Optional): Enter the vendor name.

    4. Source Score (0-100) (Optional): Enter a score for the feed’s reliability.

    5. Description (Optional): Add a description of the feed.

    6. Tag (Optional): Select + Add Tag, enter a tag name, and choose it from the dropdown.

    7. File: Choose Select a File, then upload a CSV, JSON, TXT, or STIX file.

  3. Select Create.

Use Case: Useful for users with simple analysis needs, predefined datasets, or offline data requirements.

Create a Feed from a URL

This method provides real-time, dynamic threat intelligence for integration with platforms like SIEM or other security tools.

  1. Select From URL from the Create New Feed dropdown.

  2. Complete the form:

    1. Feed Name: Enter a name for your feed.

    2. Feed Type: Select the type of feed from the dropdown.

    3. Vendor: Enter the vendor name.

    4. Tag (Optional): Select + Add Tag, enter a tag name, and choose it from the dropdown.

    5. URL: Enter the URL for the feed.

    6. Source Format: Select the URL’s format from the dropdown.

    7. Authorization: Select the authorization type from the dropdown and enter credentials.

    8. Select Test Access to verify the URL.

  3. Select Create.

Use Case: Ideal for real-time threat intelligence

Create an empty Feed

This method creates a personal live repository for manually adding threat intelligence indicators as you discover them.

  1. Select From File from the Create New Feed dropdown.

  2. Complete the form:

    1. Feed Name: Enter a name for your feed.

    2. Feed Type: Select the type of feed from the dropdown.

    3. Vendor (Optional): Enter the vendor name.

    4. Source Score (0-100) (Optional): Enter a score for the feed’s reliability.

    5. Description (Optional): Add a description of the feed.

    6. Tag (Optional): Select + Add Tag, enter a tag name, and choose it from the dropdown.

  3. Select Create without uploading a file.

Use Case: Ideal for users seeking a flexible and customizable repository for threat indicators.

Create a feed from a TAXII 2.1 server

Create a feed from a TAXII 2.1 server if you have complex security needs that require real-time updates, structured data exchange, and automated workflows. TAXII servers handle large data volumes, automate alerts and reports, and ensure data security and compliance.

  1. From the homepage, select Threat Intelligence Management, and then select Feeds.

  2. Select Create New Feed, then choose From TAXII 2.1.

  3. In the Feed name box, enter the name of your feed.

  4. In the Feed type box, select your feed type.

  5. (Optional) In the Vendor box, enter the vendor name.

  6. (Optional) In the Description box, enter a description of the feed.

  7. In the Server URL box, enter the TAXII server URL.

  8. In the Authorization box, select the authorization type and enter credentials.

  9. Select Load API Roots, then in the API Root box, select the API root.

  10. In the Collection box, select the collection to include the feed in, and then select Create.