Feeds

Security analysts often need to create custom threat intelligence to capture their findings about threat investigations. These findings can be recorded as lists of malicious, suspicious, or clean observables (block lists, watch lists, and allowed lists). These lists can then be saved and updated as data feeds.

Security products can be configured to consume these feeds and have policies around each type of feed—for example, a firewall could consume a list of known bad IP addresses and block connection attempts to those IPs. Feeds allow analysts to gather, curate, and ultimately publish lists of observables that are interesting or meaningful, and related in some way.

The Cisco XDR Intelligence feature allows you to create these custom feeds for continuous gathering of observables, and to share them with other technologies or users via the feed URL. A feed can be a simple list of observables, one per line, or a list of detailed judgments (including the observable) in JSON format. These feeds are created and managed on the Feeds page.

You access this page by choosing Intelligence > Feeds in the navigation menu.

Feeds

The Feeds list includes the custom feeds that have been created, including the name, what it contains, the date and time it was created, who created it, and the date and time it expires.