Sources

Selecting the Sources module on the navigation panel in Intelligence Hub will direct you to the Intelligence Hub > Sources module on the Threat Command platform.

From the Sources module, you can view and manage the intelligence feeds that provide IOCs (indicators of compromise).

Source Feeds

  • Rapid7 feeds - Private feeds that are provided exclusively to Rapid7 customers, free of charge. Rapid7 feeds include indicators that are extracted from threat reports generated in the Rapid7 Research module. Rapid7 is a member of the Cyber Threat Alliance (CTA) and US-CERT, so these IOC feeds are also available.
  • Private feeds - Private feeds are provided by security companies and organizations on a subscription basis. Customers can use Intelligence Hub to automatically pull threat data from feeds they are subscribed to, to use in addition to those feeds that Intelligence Hub provides. To use these feeds, the user must subscribe directly with the provider, and then enter their user credentials into Intelligence Hub.
  • STIX/TAXII feeds - Private or public feeds, that are not yet supported, that send data over TAXII in the STIX v1.x or v2.x format. These feeds can be added, per user, for that user's use only. To add a STIX/TAXII feed, see here.
  • MISP server feeds - ​Private feed from an MISP server. MISP is a community-driven software project that enables sharing, storing, and correlation of IOCs of targeted attacks. To add a MISP feed, see here.
  • Public feeds - Public Feeds are provided by companies and organizations without charge. You can enable or disable each listed intelligence feed. Once an intelligence feed is enabled, Rapid7 will retrieve intelligence from it, and the IOCs will be available for sharing.

You can enable or disable all the feeds that are available in your account.

The following tables describe the Rapid7 intelligence feeds that are part of the sources.

Alternatively, you can see the description by clicking a feed name in Intelligence Hub.

Rapid7 feeds

ConfidenceFeedDescription
HighIntelligence FeedThis feed includes threat indicators that are extracted from cyberthreat alerts created in the Threat Command module. For example, each phishing alert results in a new domain indicator in this feed. Users cannot control the number of indicators added to this feed.
HighLorelei Brute ForceThis feed provides IP addresses that are suspected of brute-force attacks. Project Lorelei uses global honeypots and protocols to better understand the tactics, techniques, and procedures used by bots and human attackers.
HighRemediation BlocklistThis feed includes a subset of the indicators included in the Intelligence feed. It includes only specific indicators that the user explicitly added to the remediation block-list via the Remediation option of the cyberthreat alerts created in the Threat Command module.
HighRapid7 Labs Curated Threat IntelligenceA high-fidelity feed providing IOCs validated and enriched by Rapid7's proprietary threat research team, delivering precise intelligence.
HighUS-CERTThe US Computer Emergency Readiness Team provides the Department of Homeland Security’s Automated Indicator Sharing feed, which enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed.
MediumCyber Threat AllianceThe Cyber Threat Alliance (CTA) is a group of cybersecurity practitioners from organizations that have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers.

Private feeds

ConfidenceFeedDescription
HighCrowdStrikeCrowdStrike Falcon X combines automated analysis with human intelligence to provide real-time threat alerts. For CrowdStrike configuration, see Add the CrowdStrike Feed.
File hash IOCs in this feed are assigned a severity from the feed itself, not from Threat Command enrichment.
HighMandiantMandiant Threat Intelligence gives security practitioners unparalleled visibility and expertise into threats that matter to their business right now.
MediumA-ISACThe Aviation ISAC feed is a focal point for security information sharing across the aviation sector. The feed facilitates the sharing of timely and actionable information related to threats, vulnerabilities, incidents, potential protective measures, and best practices.
MediumCanadian Center for Cyber SecurityThe Canadian Center for Cyber Security feed enriches, analyzes, and shares cyber threat information across business sectors and from Canadian and international cyber threat sharing hubs. CCCS provides actionable cyber threat intelligence with a Canadian focus.
MediumE-ISACThe Electricity Information Sharing and Analysis Center feed aggregates cyber and physical threat intelligence for the electricity industry.
MediumFS-ISACThe Financial Services Information Sharing and Analysis Center is the global financial industry's go-to resource for cyber and physical threat intelligence analysis and sharing.
MediumGovCERT.chThe Computer Emergency Response Team of the Swiss government feed supports the critical IT infrastructure in Switzerland in dealing with cyberthreats by providing services such as technical analyses and information about targeted (but not limited to) attacks against the national critical IT infrastructure.
MediumGuardicoreGuardicore provides unique information on malicious IP addresses and domains. Threat information is based on three main resources: Guardicore Global Sensors Network (GGSN), Guardicore Reputation Services, and the insights of the Guardicore Labs team.
MediumH-ISACThe Health Information Sharing and Analysis Center feed aggregates health care cybersecurity and threat intelligence.
MediumLS-ISAOThe Legal Services Information Sharing and Analysis Organization feed provides IOC and CVE information based on data exchange from governments and security vendors on topics ranging from phishing campaigns and ransomware threats to BEC attacks and APT activity.
MediumRH-CISCThe Retail and hospitality Information Sharing & Analysis Center (ISAC) component of the RH-CISC functions as a forum for retailers to share threat information and leading practices with each other to enhance the security of the retail industry’s most authoritative open threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.
MediumSWIFT-ISACSWIFT ISAC provides malware details such as file hashes, YARA rules, and IOCs that have been shared with the SWIFT community.
MediumThreatConnectThis feed distills millions of data points to provide immediate insight into how widespread and relevant a threat is. The feed also provides IOCs for ONG-ISAC members, serving as a central point of coordination and communication to aid in the protection of exploration and production, transportation, refining, and delivery systems of the oil and gas industry, through the analysis and sharing of trusted and timely cyber threat information, including vulnerability and threat activity specific to ICS and SCADA systems.

STIX/TAXII feeds

These feeds are added by the user and are available only in that user's environment.

MISP server feeds

These feeds are added by the user and are available only in that user's environment.

Public feeds

ConfidenceFeedDescription
HighAlienVault OTXThe AlienVault Open Threat Exchange (OTX) is the world’s most authoritative open threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.
HighBambenek C&C TrackerA feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting
HighDshieldCommunity-based collaborative firewall correlation system that provides lists of suspicious domains and IP addresses of various severity. The feed is operated by the Internet Storm Center.
HighPastebinThis feed provides IP addresses, URLs and domains that contain Cobalt Strike command & control (C&C) servers.
HighQuake360This feed provides IPv4 and IPv6 addresses that contain Cobalt Strike command & control (C&C) servers. Through continuous detection, Quake360 realizes real-time perception of various assets in global cyberspace to discover their security risks.
HighRiskIQThis feed provides IP addresses that contain Cobalt Strike command & control (C&C) servers.
HighTOR Project official exit nodesIP addresses used by the TOR project. The TOR project is frequently used for online malicious activity due to the fact it allows anonymity. Thus, any connection with these IP addresses is suspicious.
MediumAbuse CH SSL BlocklistThe SSL Blacklist (SSLBL) feed, a project of abuse.ch, lists IP addresses focused on malicious SSL connections by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that help detect and block malware botnet C&C communication on the TCP layer.
MediumBinary Defense Systems ArtilleryThis open-source cyber security framework feed provides a list of malicious IP addresses.
MediumBotScoutBotScout provides a list of the 100 top bots, by tracking the names, IP addresses, and email addresses used by bots and logging them as unique signatures for future reference.
MediumCisco Talos IP BlacklistThe IP Blacklist, automatically updated every fifteen minutes, contains a list of known malicious network threats that are flagged on all Cisco Security Products.
MediumCywareCyware provides threat intelligence feeds from a wide range of open and trusted sources to deliver valuable and actionable threat intelligence including IOCs, threat actor information, TTPs, campaigns, incidents, malware intrusions, and vulnerabilities.
MediumEmerging ThreatsThis feed provides a list of malicious and compromised IP addresses. The feed is operated by ET Labs.
MediumFeodo TrackerFeodo Tracker offers IP address and domain blocklists that contain known Feodo command & control servers (C&C) associated with the Feodo crimeware.
MediumGreenSnow BlocklistThis feed provides a list of IP addresses used in brute force attacks such as Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, and cPanel. The feed harvests a large number of IP addresses from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind (except for spam). This feed provides a list of domains focused on spam and online fraud.
MediumJoe WeinThis feed provides a list of IP addresses used in brute force attacks such as Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, and cPanel. The feed harvests a large number of IP addresses from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind (except for spam).
MediumLehigh Malware DomainsThis feed provides a list of sinkholed domains that are known carriers of malicious infrastructure.
MediumOpenPhishOpenPhish provides a list of phishing URLs from real-time insight into live phishing pages as observed by OpenPhish.
MediumSnort IP BlocklistThis feed provides a list of IP addresses based on Snort labs, primarily focused on open source intrusion prevention systems (IPS) and intrusion detection systems (IDS).
MediumThreatFoxThis feed, a project of abuse.ch, provides data on domains, IP addresses, email addresses, and file hashes associated with malware, botnet, C&C, payload, or payload delivery.
MediumURLhausURLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
MediumVX VaultThis feed provides a list of URLs. VX Vault downloads malware samples from links from online sources such as webpages or RSS feeds and attempts to identify the malware using VirusTotal. Each sample is archived into a password-protected 7-Zip file for sharing and protection against anti-virus deletion. This program targets malware researchers, students, and other IT security professionals.
LowBlocklist.deBlocklist.de provides the following feeds:

One feed lists attacking IP addresses and the services they abuse, based on a honeypot network operated by a "Fraud/Abuse specialist."

Another feed, Blocklist bots, lists suspicious IP addresses used in actual server attacks via SSH, Mail, Login, FTP, Webserver, and other services.
LowBotvrij.euBotvrij.eu provides a list of IOCs that contains IP addresses, file hashes, domain names, and URLs. The data is gathered via open source blog pages and PDF documents. Older data is removed.
LowBruteForce
Blocker
This feed provides a list of IP addresses that are known to launch brute force attack over SSH service. The feed is operated by Daniel Gerzo, a Slovakian computer expert.
LowCINS ScoreThe CINS score represents the quality of IP addresses flagged by the CINS Sentinel network.
LowCyber Crime TrackerCyber-Crime Tracker monitors different kinds of malware, especially Citadel, Zeus and Spyeye. Cyber-Crime Tracker provides IP addresses and URLS used by malware and hashes of different versions of these malwares.
LowDan.me.uk Tor ListThis feed provides a complete list of TOr nodes. The feed is maintained by Daniel Austin, a UK-based computer expert.
LowInfosecThis feed provides domains, IP addresses, and URLs by analyzing data from various blocklists.
LowPhishTankPhishTank provides URLs of phishing websites that should be blocked in the firewall. The URLs are determined by a community-based verification system where users submit suspected phishes and other users "vote" if it is a phish or not.
LowPhishstatsThis feed, updated every ninety minutes, provides phishing URLs from the past thirty days.

Enable or disable an alert source feed

You can turn a feed on or off. A feed that is off will not supply new IOCs.

To enable or disable a feed:

  • Select the toggle button to the right of the feed listing.

Using feeds and other IOC sources in other areas of Threat Command

The enabled intelligence feeds, STIX/TAXII feeds, as well as IOCs that you upload can be used in automation policies and IOC groups to pass to integrated devices, as described in Automation.

Allowlisted IOCs

Allowlisted IOCs are not treated as IOCs, that is, they are not sent to integrated devices.

There is a system-defined allowlist, for example, all company assets and popular domains. The user can create a company-specific allowlist, as described in Add (or remove) IOCs to the user allowlist.

Allowlisted and "Do not allowlist" IOCs are displayed in the Allowlist tab.