TIP Sources
The first step in using the TIP module is to select the intelligence feeds that provide IOCs. There are many intelligence feeds listed on the Sources page.
TIP source feeds
- Rapid7 feeds - Private feeds that are provided exclusively to Rapid7 customers, free of charge. Rapid7 feeds includes indicators that are extracted from threat reports generated in the Rapid7 Research module. Rapid7 is a member of the Cyber Threat Alliance (CTA) and US-CERT, so these IOC feeds are also available.
- Private feeds - Private feeds are provided by security companies and organizations on a subscription basis. Customers can use Threat Command to automatically pull threat data from feeds they are subscribed to, to use in addition to those feeds that Threat Command provides. To use these feeds, the user must subscribe directly with the provider, and then enter their user credentials into Threat Command.
- STIX/TAXII feeds - Private or public feeds, that are not yet supported, that send data over TAXII in the STIX v1.x or v2.x format. These feeds can be added, per user, for that user's use only. To add a STIX/TAXII feed, see here.
- MISP server feeds - Private feed from an MISP server. MISP is a community-driven software project that enables sharing, storing, and correlation of IOCs of targeted attacks. To add a MISP feed, see here.
- Public feeds - Public Feeds are provided by companies and organizations without charge. You can enable or disable each listed intelligence feed. Once an intelligence feed is enabled, Rapid7 will retrieve intelligence from it, and the IOCs will be available for sharing.
You can enable or disable all the feeds that are available in your account.
The following tables describe the Rapid7 intelligence feeds that are part of the TIP sources.
Alternatively, you can see the description by clicking a feed name in Threat Command.
Rapid7 feeds
| Confidence | Feed | Description | |
|---|---|---|---|
| High |  | Intelligence Feed | This feed includes threat indicators that are extracted from cyberthreat alerts created in the Threat Command module. For example, each phishing alert results in a new domain indicator in this feed. Users cannot control the number of indicators added to this feed. |
| High | | Lorelei Brute Force | This feed provides IP addresses that are suspected of brute-force attacks. Project Lorelei uses global honeypots and protocols to better understand the tactics, techniques, and procedures used by bots and human attackers. |
| High | | Remediation Blocklist | This feed includes a subset of the indicators included in the Intelligence feed. It includes only specific indicators that the user explicitly added to the remediation block-list via the Remediation option of the cyberthreat alerts created in the Threat Command module. |
| High | | Threat Library | This feed includes indicators extracted from threat reports generated in the Research module. |
| High |  | US-CERT | The US Computer Emergency Readiness Team provides the Department of Homeland Security’s Automated Indicator Sharing feed, which enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. |
| Medium |  | Cyber Threat Alliance | The Cyber Threat Alliance (CTA) is a group of cybersecurity practitioners from organizations that have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers. |
Private feeds
| Confidence | Feed | Description | |
|---|---|---|---|
| High |  | CrowdStrike | CrowdStrike Falcon X combines automated analysis with human intelligence to provide real-time threat alerts. For CrowdStrike configuration, see Add the CrowdStrike Feed. File hash IOCs in this feed are assigned a severity from the feed itself, not from Threat Command enrichment. |
| High |  | Mandiant | Mandiant Threat Intelligence gives security practitioners unparalleled visibility and expertise into threats that matter to their business right now. |
| Medium |  | A-ISAC | The Aviation ISAC feed is a focal point for security information sharing across the aviation sector. The feed facilitates the sharing of timely and actionable information related to threats, vulnerabilities, incidents, potential protective measures, and best practices. |
| Medium |  | Canadian Center for Cyber Security | The Canadian Center for Cyber Security feed enriches, analyzes, and shares cyber threat information across business sectors and from Canadian and international cyber threat sharing hubs. CCCS provides actionable cyber threat intelligence with a Canadian focus. |
| Medium |  | E-ISAC | The Electricity Information Sharing and Analysis Center feed aggregates cyber and physical threat intelligence for the electricity industry. |
| Medium |  | FS-ISAC | The Financial Services Information Sharing and Analysis Center is the global financial industry's go-to resource for cyber and physical threat intelligence analysis and sharing. |
| Medium |  | GovCERT.ch | The Computer Emergency Response Team of the Swiss government feed supports the critical IT infrastructure in Switzerland in dealing with cyberthreats by providing services such as technical analyses and information about targeted (but not limited to) attacks against the national critical IT infrastructure. |
| Medium |  | Guardicore | Guardicore provides unique information on malicious IP addresses and domains. Threat information is based on three main resources: Guardicore Global Sensors Network (GGSN), Guardicore Reputation Services, and the insights of the Guardicore Labs team. |
| Medium |  | H-ISAC | The Health Information Sharing and Analysis Center feed aggregates health care cybersecurity and threat intelligence. |
| Medium |  | LS-ISAO | The Legal Services Information Sharing and Analysis Organization feed provides IOC and CVE information based on data exchange from governments and security vendors on topics ranging from phishing campaigns and ransomware threats to BEC attacks and APT activity. |
| Medium |  | RH-CISC | The Retail and hospitality Information Sharing & Analysis Center (ISAC) component of the RH-CISC functions as a forum for retailers to share threat information and leading practices with each other to enhance the security of the retail industry’s most authoritative open threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques. |
| Medium |  | SWIFT-ISAC | SWIFT ISAC provides malware details such as file hashes, YARA rules, and IOCs that have been shared with the SWIFT community. |
| Medium |  | ThreatConnect | This feed distills millions of data points to provide immediate insight into how widespread and relevant a threat is. The feed also provides IOCs for ONG-ISAC members, serving as a central point of coordination and communication to aid in the protection of exploration and production, transportation, refining, and delivery systems of the oil and gas industry, through the analysis and sharing of trusted and timely cyber threat information, including vulnerability and threat activity specific to ICS and SCADA systems. |
STIX/TAXII feeds
These feeds are added by the user and are available only in that user's environment.
MISP server feeds
These feeds are added by the user and are available only in that user's environment.
Public feeds
| Confidence | Feed | Description | |
|---|---|---|---|
| High |  | AlienVault OTX | The AlienVault Open Threat Exchange (OTX) is the world’s most authoritative open threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques. |
| High |  | Bambenek C&C Tracker | A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting |
| High |  | Dshield | Community-based collaborative firewall correlation system that provides lists of suspicious domains and IP addresses of various severity. The feed is operated by the Internet Storm Center. |
| High |  | Pastebin | This feed provides IP addresses, URLs and domains that contain Cobalt Strike command & control (C&C) servers. |
| High |  | Quake360 | This feed provides IPv4 and IPv6 addresses that contain Cobalt Strike command & control (C&C) servers. Through continuous detection, Quake360 realizes real-time perception of various assets in global cyberspace to discover their security risks. |
| High |  | RiskIQ | This feed provides IP addresses that contain Cobalt Strike command & control (C&C) servers. |
| High |  | TOR Project official exit nodes | IP addresses used by the TOR project. The TOR project is frequently used for online malicious activity due to the fact it allows anonymity. Thus, any connection with these IP addresses is suspicious. |
| Medium |  | Abuse CH SSL Blocklist | he SSL Blacklist (SSLBL) feed, a project of abuse.ch, lists IP addresses focused on malicious SSL connections by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that help detect and block malware botnet C&C communication on the TCP layer. |
| Medium |  | Binary Defense Systems Artillery | This open-source cyber security framework feed provides a list of malicious IP addresses. |
| Medium |  | BotScout | BotScout provides a list of the 100 top bots, by tracking the names, IP addresses, and email addresses used by bots and logging them as unique signatures for future reference. |
| Medium |  | Cisco Talos IP Blacklist | The IP Blacklist, automatically updated every fifteen minutes, contains a list of known malicious network threats that are flagged on all Cisco Security Products. |
| Medium |  | Cyware | Cyware provides threat intelligence feeds from a wide range of open and trusted sources to deliver valuable and actionable threat intelligence including IOCs, threat actor information, TTPs, campaigns, incidents, malware intrusions, and vulnerabilities. |
| Medium |  | Emerging Threats | This feed provides a list of malicious and compromised IP addresses. The feed is operated by ET Labs. |
| Medium |  | Feodo Tracker | Feodo Tracker offers IP address and domain blocklists that contain known Feodo command & control servers (C&C) associated with the Feodo crimeware. |
| Medium |  | GreenSnow Blocklist | This feed provides a list of IP addresses used in brute force attacks such as Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, and cPanel. The feed harvests a large number of IP addresses from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind (except for spam). This feed provides a list of domains focused on spam and online fraud. |
| Medium |  | Joe Wein | This feed provides a list of IP addresses used in brute force attacks such as Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, and cPanel. The feed harvests a large number of IP addresses from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind (except for spam). |
| Medium |  | Lehigh Malware Domains | This feed provides a list of sinkholed domains that are known carriers of malicious infrastructure. |
| Medium |  | OpenPhish | OpenPhish provides a list of phishing URLs from real-time insight into live phishing pages as observed by OpenPhish. |
| Medium |  | Snort IP Blocklist | This feed provides a list of IP addresses based on Snort labs, primarily focused on open source intrusion prevention systems (IPS) and intrusion detection systems (IDS). |
| Medium |  | ThreatFox | This feed, a project of abuse.ch, provides data on domains, IP addresses, email addresses, and file hashes associated with malware, botnet, C&C, payload, or payload delivery. |
| Medium | | URLhaus | URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. |
| Medium |  | VX Vault | This feed provides a list of URLs. VX Vault downloads malware samples from links from online sources such as webpages or RSS feeds and attempts to identify the malware using VirusTotal. Each sample is archived into a password-protected 7-Zip file for sharing and protection against anti-virus deletion. This program targets malware researchers, students, and other IT security professionals. |
| Low |  | Blocklist.de | Blocklist.de provides the following feeds: One feed lists attacking IP addresses and the services they abuse, based on a honeypot network operated by a "Fraud/Abuse specialist." Another feed, Blocklist bots, lists suspicious IP addresses used in actual server attacks via SSH, Mail, Login, FTP, Webserver, and other services. |
| Low |  | Botvrij.eu | Botvrij.eu provides a list of IOCs that contains IP addresses, file hashes, domain names, and URLs. The data is gathered via open source blog pages and PDF documents. Older data is removed. |
| Low | | BruteForce Blocker | This feed provides a list of IP addresses that are known to launch brute force attack over SSH service. The feed is operated by Daniel Gerzo, a Slovakian computer expert. |
| Low |  | CINS Score | The CINS score represents the quality of IP addresses flagged by the CINS Sentinel network. |
| Low | | Cyber Crime Tracker | Cyber-Crime Tracker monitors different kinds of malware, especially Citadel, Zeus and Spyeye. Cyber-Crime Tracker provides IP addresses and URLS used by malware and hashes of different versions of these malwares. |
| Low | | Dan.me.uk Tor List | This feed provides a complete list of TOr nodes. The feed is maintained by Daniel Austin, a UK-based computer expert. |
| Low |  | Infosec | This feed provides domains, IP addresses, and URLs by analyzing data from various blocklists. |
| Low |  | PhishTank | PhishTank provides URLs of phishing websites that should be blocked in the firewall. The URLs are determined by a community-based verification system where users submit suspected phishes and other users "vote" if it is a phish or not. |
| Low |  | Phishstats | This feed, updated every ninety minutes, provides phishing URLs from the past thirty days. |
Enable or disable an alert source feed
You can turn a feed on or off. A feed that is off will not supply new IOCs.
To enable or disable a feed:
- Select the toggle button to the right of the feed listing.
Using feeds and other IOC sources in other areas of Threat Command
The enabled intelligence feeds, STIX/TAXII feeds, as well as IOCs that you upload can be used in automation policies and IOC groups to pass to integrated devices, as described in Automation.
The following figure demonstrates how uploaded documents and emails are presented when creating an automation policy:
The following figure shows how an emailed IOC is shown in the Investigation page as the reporting feed:
Whitelisted IOCs
Whitelisted IOCs are not treated as IOCs, that is, they are not sent to integrated devices.
There is a system-defined whitelist, for example, all company assrts and popular domains. The user can create a company-specific whitelist, as described in Add (or remove) IOCs to the user whitelist.
Whitelisted and "Do not whitelist" IOCs are displayed in the Whitelist tab:
Did this page help you?