Intel Feeds FAQ

Updated 1 week ago by Elvis Hovor

Open Intelligence (OSINT)

These feeds do not require any licensing to use and are feed-based. They do not provide summary tables or parse attributes. These data feeds are polled at regular intervals. We have optimized the polling rates to reflect the data refresh rate for each OSINT source. 

Feed Source

Update Frequency

Indicators Retrieved

Abuse.ch IP Blacklist

15 min

IP, URL, MALWARE

Abuse.ch Ransomware

15 min

IP, URL, MALWARE

Abuse.ch SSL Blacklist

15 min

IP, URL, MALWARE

AIS - DHS

15 min

STIX/TAXII - IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

Bambenek

15 min

IP, MALWARE

EU-CERT

15 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

Hail_a_Taxii

60 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

Hybrid Analysis_Public Feed

3 hours

URL, MD5, SHA1, SHA256, MALWARE

Open Intel Feeds (RSS)

These feeds do not include summary tables or parse attributes and they are all feed-based (no queries required to access the information in their individual enclaves.

Feed Source

Update Frequency

Indicators Retrieved

Broad Analysis

15 min

IP, DOMAIN

Infosec Island

15 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

ISC

15 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

Malware Bytes

15 min

SOFTWARE, MALWARE

Packetstorm

15 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE]

Palo Alto Unit 42

15 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

US-CERT

15 min

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

Premium Intel Sources

Premium feeds require credentials and keys for setup and configuration. This usually means you have a license or subscription to the source, such as FS-ISAC or Recorded Future IP List.

Some closed source intelligence return results only if you submit data into your private enclave; these are marked as query-based in the table below. These query-based sources only provide intel to IOCs at the time of submission.

Intel Source

Update Frequency

Query-Based?

Summary Table?

Attributes Parser?

Indicators Retrieved

A-ISAC

15 min

No

No

Pending

All

AlienVault OTX

15 min

Yes

Yes

Yes

IP, URL, MD5, SHA1, SHA256, CVE

Alienvault OTX Pulse

15 min

No

No

Pending

ALL

Cisco AMP ThreatGrid Analysis

15 min

No

Yes

Yes

IP, URL, DOMAIN (extracted from URL), SHA1, SHA256, MD5, REGISTRY KEY

Cisco AMP ThreatGrid Indicator Query

15 min

Yes

Yes

Yes

IP, URL, DOMAIN (extracted from URL), SHA1, SHA256, MD5, REGISTRY KEY

Crowdstrike Falcon Detect

15 min

No

No

Pending

IP, URL, Domain

Crowdstrike Falcon Intelligence

15 min

Yes

Yes

Yes

ALL

Crowdstrike Falcon Reports

15 min

No

Yes

Yes

ALL

Crowdstrike Falcon Stream

15 min

No

No

Pending

ALL

CyberSource

Every 24 hours at 2PM UTC

Yes

No

Pending

IP, URL, DOMAIN, EMAIL ADDRESS (connect with TruSTAR support for access)

Digital Shadows

15 min

No

Yes

Yes

IP, URL, MD5, SHA1

F-ISAC

15 min

No

No

Pending

ALL

FS-ISAC

2 hours

No

No

Pending

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

Facebook Threat Exchange

15 min

Yes

Yes

Yes

IP, URL, MD5, SHA1, SHA256, EMAIL ADDRESS

Farsight DNSDB

15 min

Yes

No

Pending

IP, Domain, URL

Flashpoint

15 min

No

No

Pending

ALL

HybridAnalysis

15 min

Yes

Yes

Yes

URL, MD5, SHA1, SHA256, MALWAR

IBM X-Force

15 min

Yes

Yes

Yes

IP, URL, MD5, SHA1, SHA256

IBM X-Force IRIS

No

Yes

Yes

Intel 471 Adversary Intelligence

15 min

No

No

Pending

ALL

Intel 471 Alerts Watchlist

15 min

No

No

Pending

ALL

Intel 471 Malware Intelligence

15 min

No

Yes

Yes

ALL

iSight Partners

15 min

No

No

Yes

ALL (if present in reports provided by iSight)

Joe Sandbox

15 min

No

Yes

Yes

ALL

MISP

15 min

No

No

Pending

ALL

NCFTA CyFin

15 min

No

No

Pending

All

NCFTA TNT

15 min

No

No

Pending

All

Recorded Future

15 min

Yes

Yes

Pending

IP, URL, CVE, MD5, SHA1, SHA256, MALWARE

Recorded Future Hash Intelligence

4 hours

No

Yes

Yes

MD5, SHA1, SHA256

Recorded Future IP Intelligence

2 hours

No

Yes

Yes

ALL

Recorded Future URL Intelligence

Every 24 hours at 2PM UTC

No

Yes

Yes

DOMAIN, URL

Recorded Future Vulnerability Intelligence

Every 24 hours at 2PM UTC

No

Yes

Pending

CVE

RiskIQ Blacklist

15 min

Yes

Yes

Yes

IP, DOMAIN, URL

RiskIQ PassiveTotal

15 min

Yes

Yes

Pending

IP, DOMAIN, URL, EMAIL ADDRESS

Shape Blackfish

15 min

Yes

No

Pending

EMAIL ADDRESS

Spy Cloud

15 min

Yes

No

Pending

IP, URL, DOMAIN, EMAIL ADDRESS (connect with TruSTAR support for access)

VirusTotal

15 min

Yes

Yes

Yes

IP, URL, MD5, SHA1, SHA256

In the Indicators Retrieved Column, the value for ALL includes these observables:

  • IPV4
  • IPV6
  • CIDR BLOCK
  • URL (Domains are currently categorized as URL's)
  • MD5
  • SHA1
  • SHA256
  • CVE (based on NIST's CVE standard)
  • BITCOIN ADDRESSES
  • SOFTWARE (file names are currently treated as Software)
  • EMAIL ADDRESS
  • REGISTRY KEY
  • MALWARE
  • THREAT ACTOR
  • PHONE NUMBERS

FAQ

Q. What are the limitations for a source that does not have a parser?

A. Observables (click list above) provided by the source will be extracted and available to the user in the TruSTAR app and integration(s). Without the parses in place, the observables will not be mapped to specific fields nor provide risk or confidence scores.

Q, How do I integrate sources not available in the TruSTAR Marketplace?

1) Establish shared understanding of the use-case for the source - For example, Is this information that you are interested in for the detection mission in the SIEM or for enrichment mission in triage / incident response? Or both? 

2) Prioritizing and Refining - Many of our customers have a never-ending and ever-evolving list of sources we are operationalizing. This is nature of intelligence management. As part of the Customer Success process, we create a shared roadmap of requests for our customers and the together execute on the implementation and report out on it in monthly check-ins and quarterly executive business reviews.

3) Acceleration - How quickly we add net new data sources to a customers TruSTAR environment depends on three factors:

  • Existing Backlog of Sources - we maintain a backlog of integrations by popularity with our sharing communities and customer base. Next up for us in Q1 are integrations with Slack, D3, and an expansion of our RiskIQ integration. These will be available for all customers of TruSTAR. We re-prioritize this roadmap every quarter based on requests and share it with our customer base.
  • REST API / Python SDK - Typically, there are some unique sources that customers want to leverage. As a result, we work with our customers to identify the most appropriate way to advance their specific needs, while balancing speed and cost. Some customers want to build these themselves. Some want TruSTAR to do it for them. If the customer wants TruSTAR to do it, we can pursue the following:
    • Enumerate specific sources/integrations and their prices/delivery deadlines in the contract,
    • Create an integrations line-item in the contract and integrations will be scoped and developed via email approval between TruSTAR and BV POC-- TruSTAR will report on the utilization as part of the quarterly business reviews, or
    • Approach each-integration ad-hoc with a separate statement of work and signature process
  • Enclave-Inbox - If a customer has new data sources, but is unable or uninterested in earmarking resources for integration, we typically look to maximize our email-ingest vector. Ingesting and parsing data through email-ingest is one of the most popular ways to get data into the platform without expending engineering resources.


How Did We Do?