Threat Intelligence Feeds


Threat Intelligence Fundamentals

Threat intelligence transforms raw data into actionable security insights. Feeds provide indicators of compromise (IOCs), tactics techniques and procedures (TTPs), and adversary profiles.

STIX and TAXII Standards

STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Indicators) are the industry standards for threat intelligence exchange.




from stix2 import Indicator, Bundle, TAXIICollectionSource


from taxii2client import Collection




# Create a STIX indicator


indicator = Indicator(


name="Malicious IP",


indicator_types=["malicious-activity"],


pattern="[ipv4-addr:value = '203.0.113.5']",


pattern_type="stix",


valid_from="2026-01-01T00:00:00Z"


)




# Bundle indicators


bundle = Bundle(indicator)


print(bundle.serialize(pretty=True))




# Consume from TAXII feed


collection = Collection("https://taxii.example.com/collections/123")


source = TAXIICollectionSource(collection)


for indicator in source.query():


print(indicator["name"], indicator["pattern"])





Feed Integration with SIEM

Ingest feeds into your SIEM for correlation:




import requests


from elasticsearch import Elasticsearch




class ThreatIntelIngestor:


def __init__(self, es_host="localhost:9200"):


self.es = Elasticsearch([es_host])




def fetch_and_index(self, feed_url, feed_name):


resp = requests.get(feed_url, headers={"Accept": "application/stix+json"})


indicators = resp.json().get("objects", [])




for ioc in indicators:


doc = {


"feed": feed_name,


"type": ioc.get("type"),


"pattern": ioc.get("pattern"),


"severity": ioc.get("confidence", 50),


"valid_until": ioc.get("valid_until"),


"ingested_at": "now"


}


self.es.index(index="threat-intel", body=doc)




print(f"Ingested {len(indicators)} indicators from {feed_name}")





IOC Scoring

Not all indicators are equally reliable. Implement scoring:




def score_indicator(ioc, context):


score = 50 # Base score




# Age decay: newer indicators are more valuable


age_days = (datetime.utcnow() - ioc.valid_from).days


score -= min(age_days * 2, 30)




# Multiple feeds increase confidence


feed_count = len(ioc.get("sources", []))


score += feed_count * 10




# Context matching increases relevance


if context.get("industry") in ioc.get("target_industries", []):


score += 20




return min(max(score, 0), 100)





Feed Quality Metrics

Evaluate feeds on these criteria:

| Metric | Description | Target | |--------|-------------|--------| | False positive rate | Incorrect alerts | < 5% | | Time to detection | Speed of indicator publication | < 1 hour | | Coverage | Breadth of TTPs covered | > 80% | | Freshness | Update frequency | Continuous |

Automated Blocking

High-confidence indicators can trigger automated blocking:




# threat-intel-automation.yaml


automation_rules:


- name: block_malicious_ips


trigger: new_indicator


conditions:


- indicator_type: ipv4-addr


- score: ">= 80"


actions:


- update_firewall:


action: deny


source: indicator.value


- alert:


severity: high


channel: security-operations





Conclusion

Threat intelligence feeds provide critical context for security operations. Standardize on STIX/TAXII, integrate with your SIEM, score indicators for relevance, and automate high-confidence blocking. Quality over quantity: five well-curated feeds beat fifty noisy ones.