Security intelligence feeds — structured data streams of threat indicators, adversary profiles, and malicious infrastructure that organizations ingest into their SIEM, SOAR, and threat intelligence platforms — form the foundational layer of threat detection that converts external threat data into actionable detection and prevention capability. The feeds range from free community resources (SANS ISC DShield Top 20, CINS Army List) to enterprise commercial platforms aggregating hundreds of sources (Anomali ThreatStream, Recorded Future, Mandiant Advantage/Google Cloud). The standardization that made feeds operationally practical at scale is STIX/TAXII: Structured Threat Information Expression (STIX) defines the machine-readable format for threat intelligence objects (indicators, campaigns, threat actors, vulnerabilities, relationships), while Trusted Automated Exchange of Intelligence Information (TAXII) defines the API protocol for publishing and consuming STIX data. Both are open standards, which means the major SIEM platforms (Microsoft Sentinel, Splunk Enterprise Security, IBM QRadar) all support STIX/TAXII natively, and threat intelligence platforms (MISP, Anomali ThreatStream, OpenCTI) use STIX/TAXII for both ingestion and sharing. Microsoft expanded Sentinel’s STIX support significantly in April 2025, publicly previewing two new tables — ThreatIntelIndicators and ThreatIntelObjects — that support the full STIX indicator and object schemas, moving beyond the older ThreatIntelligenceIndicator format that Sentinel used previously. The practical challenge for security teams isn’t finding intelligence feeds; it’s operationalizing them effectively — avoiding duplicate and low-confidence IOC ingestion that inflates alert volume without improving detection quality.
- STIX/TAXII: open standards for machine-readable threat intelligence; all major SIEMs (Sentinel, Splunk, QRadar) support STIX/TAXII natively
- Microsoft Sentinel April 2025: new ThreatIntelIndicators + ThreatIntelObjects tables support full STIX schema
- Commercial TIP leaders: Recorded Future (AI/MITRE mapping), Mandiant/Google Cloud (200K+ incident response hours annually), Anomali ThreatStream (200+ sources), CrowdStrike Falcon Intelligence
- Free feeds: SANS ISC DShield Top 20, CINS Army List, CIS MS-ISAC (US SLTT entities), MISP (open-source TIP with sharing communities)
- Key operational challenge: filtering low-confidence IOCs before ingestion to avoid false positive inflation in SIEM detection pipeline
Security Intelligence Feeds: Free, Commercial, and STIX/TAXII Sources
Free and Open-Source Security Intelligence Feeds
The free security intelligence feed ecosystem provides a baseline layer of threat data that organizations can integrate into SIEM and SOAR platforms at no cost, covering the most widely reported malicious IPs, domains, and indicators. The SANS Internet Storm Center’s DShield Top 20 is one of the original threat intelligence feeds, compiling the top-20 most active attacking /24 subnets from the DShield distributed sensor network. The CINS (Collective Intelligence Network Security) Army List has been active for over a decade, processes millions of scans, probes, and exploit attempts monthly, and is available in STIX/TAXII format alongside CSV and IPS rule formats — making it directly ingestible by SIEM platforms without transformation. The Center for Internet Security (CIS) MS-ISAC provides real-time indicator feeds to U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices in industry-standard formatting that integrates with major security platforms. For open-source threat intelligence management, MISP (Malware Information Sharing Platform) is the dominant platform: it aggregates, shares, and distributes threat intelligence within organizations and across ISAC communities, supports bidirectional synchronization with Sentinel and Splunk through dedicated connectors, and maintains active sharing communities across sectors. The integration of these free feeds follows a consistent pattern in both Splunk Enterprise Security and Microsoft Sentinel: feeds are ingested as TAXII collections, normalized to STIX indicator format, and correlated against internal log telemetry to generate matches on known malicious indicators. Microsoft Sentinel’s April 2025 expansion to full STIX object schema support (ThreatIntelIndicators and ThreatIntelObjects tables) means the richer context beyond raw IOCs — threat actor profiles, campaign data, malware families, kill chain stages — can now be stored and queried natively within Sentinel rather than requiring an external TIP for this context. Free feeds cover commodity threat data well but lack the adversary-level intelligence (TTP analysis, attribution, strategic reporting) that commercial feeds provide — the right operational model for most organizations is free feeds for volume indicator coverage and commercial feeds for higher-fidelity threat actor intelligence.
Commercial Threat Intelligence Platforms: Recorded Future, Mandiant, Anomali, and CrowdStrike
The commercial security intelligence feed market is dominated by four major platforms that differentiate on data sources, analytical depth, and integration architecture. Recorded Future excels in real-time AI-driven risk scoring and MITRE ATT&CK mapping, correlating indicators against geopolitical context and dark web monitoring to produce scored threat assessments that reduce analyst triage time. Mandiant Advantage — now fully integrated into Google Cloud after Google’s acquisition — brings intelligence from 200,000+ hours annually of active incident response work, which means Mandiant’s feeds contain threat actor TTPs and infrastructure data observed from real-world compromise investigations rather than passive collection alone. Forrester notes that Mandiant is positioned to become a dominant threat intelligence provider given the depth of first-party incident response data underpinning its intelligence products. Anomali ThreatStream markets the world’s largest curated threat intelligence repository, aggregating 200+ intelligence sources through a marketplace model that allows organizations to add feeds selectively based on industry vertical, threat type, or geography. CrowdStrike Falcon Intelligence combines endpoint telemetry from millions of CrowdStrike sensors globally with its adversary intelligence team’s research, delivering automated IOC enrichment, adversary profiles, and malware analysis within the same platform that many organizations already use for EDR — eliminating a separate TIP deployment for organizations in the CrowdStrike ecosystem. The platform decision for enterprise security programs typically reduces to ecosystem fit: organizations already on Microsoft security get Sentinel STIX integration plus Microsoft Defender Threat Intelligence; CrowdStrike users get Falcon Intelligence natively; mixed-vendor environments benefit from platform-agnostic TIPs like Anomali, Recorded Future, or OpenCTI (open-source). The operational best practices that apply across all commercial feeds: implement confidence scoring and deduplication filters before pushing IOCs downstream to SIEM, avoid ingesting feeds in their entirety without relevance filtering, and correlate external indicators against the organization’s specific threat profile rather than applying all feeds universally.
Integrating Security Intelligence Feeds into SIEM and SOAR
SIEM Integration: Splunk, Sentinel, and the STIX/TAXII Pipeline
The SIEM integration layer for security intelligence feeds operates through two primary mechanisms: STIX/TAXII pull (the SIEM polls a TAXII server on a schedule, retrieving new indicators in STIX format) and push-based API ingestion (threat intelligence platforms push indicators to SIEM APIs in real time as new intelligence is produced). Both Splunk Enterprise Security and Microsoft Sentinel have native TAXII client capabilities that handle the standard STIX/TAXII pipeline without custom integration development. The Splunk-MISP integration creates a bidirectional pipeline: MISP events are automatically ingested into Splunk’s threat activity index, normalized to Splunk’s Common Information Model (CIM), and used for correlation against log data; alerts generated from MISP indicator matches can trigger creation of new MISP events, completing the intelligence cycle loop within Splunk’s automation workflow. Microsoft Sentinel’s MISP integration uses Logic Apps and Azure Functions to synchronize MISP indicators in real time, transforming them into Sentinel’s ThreatIntelligenceIndicator format (pre-April 2025) or the newer ThreatIntelIndicators/ThreatIntelObjects tables. The operational challenge that both platforms address imperfectly is low-confidence IOC management: raw threat intelligence feeds contain indicators at varying confidence levels, and ingesting all indicators without scoring creates false positive alerts that consume analyst time. The CISA SIEM implementation guidance’s recommendation to avoid ingesting low-value data applies directly to threat intelligence feed management — high-confidence IOCs (indicators seen in active incidents, with attribution, matching the organization’s threat model) should be treated differently from broad, low-confidence community feeds that may include outdated or false indicators. SOAR integration extends the value: when SIEM generates an alert on a threat intelligence indicator match, SOAR playbooks can automatically enrich the alert with full threat actor context from the TIP, execute containment actions (IP blocking, domain quarantine), and create a prioritized investigation ticket — the automated response layer that converts intelligence feed integration from passive detection to active response. The Microsoft Sentinel STIX documentation at Microsoft Learn covers the TAXII connector configuration in detail. The SANS Internet Storm Center’s threat intelligence feeds provide free IOC data directly ingestible through standard STIX/TAXII integration.
Frequently Asked Questions
What are security intelligence feeds?
Security intelligence feeds are structured data streams containing threat indicators and intelligence — including IP addresses, domains, URLs, file hashes, YARA rules, and contextual threat data — that organizations consume into their security platforms (SIEM, SOAR, firewalls, EDR) to detect and block known threats. Feeds range from free community sources (SANS ISC DShield, CINS Army List, MISP sharing communities) to commercial platforms (Recorded Future, Mandiant/Google, Anomali, CrowdStrike Falcon Intelligence). The standard exchange format is STIX (Structured Threat Information Expression) delivered via TAXII (Trusted Automated Exchange of Intelligence Information) APIs, which all major SIEM platforms support natively. The value of a threat intelligence feed is determined by its relevance to the organization’s threat profile, indicator confidence level, and timeliness — not by raw IOC volume.
What is the difference between STIX and TAXII?
STIX and TAXII are complementary open standards that work together: STIX (Structured Threat Information Expression) is the data format — it defines how threat intelligence objects are structured: indicators (IPs, domains, hashes), threat actors, campaigns, malware, attack patterns, courses of action, and relationships between them. STIX 2.1 is the current standard. TAXII (Trusted Automated Exchange of Intelligence Information) is the transport protocol — it defines how STIX data is published and retrieved via API. TAXII servers host STIX collections; TAXII clients (your SIEM) query those servers to retrieve new indicators. Both are managed by OASIS as open standards. In practice: a commercial TIP like Anomali publishes intelligence as STIX via a TAXII server; your Splunk or Sentinel SIEM connects as a TAXII client, pulls new STIX objects on schedule, and uses them for detection correlation.
What are the best free threat intelligence feeds in 2025?
Best free security intelligence feeds in 2025: SANS ISC DShield Top 20 — top attacking /24 subnets, updated daily, one of the original community threat feeds; CINS Army List — decade-old feed processing millions of daily probes, available in STIX/TAXII, CSV, and IPS format; CIS MS-ISAC Indicator Feeds — real-time indicators for US SLTT entities and election infrastructure, industry-standard format; MISP (open-source TIP) — not a feed itself but the platform for joining sharing communities across ISACs and sectors; Abuse.ch feeds (URLhaus, MalwareBazaar, ThreatFox) — high-quality malware and phishing infrastructure feeds; AlienVault OTX (Open Threat Exchange) — community-sourced indicators from Alien Labs; Spamhaus (IP and domain blocklists). The practical limit of free feeds: they cover commodity IOCs well but lack the finished threat actor intelligence (TTP analysis, attribution, strategic assessments) available from commercial platforms.
How do you integrate threat intelligence feeds into Microsoft Sentinel?
Microsoft Sentinel threat intelligence feed integration in 2025: STIX/TAXII connector — native TAXII client built into Sentinel that polls any TAXII server for STIX 2.0/2.1 indicators; configure in Data connectors with collection URL, API root, credentials, and polling interval. MISP connector — Logic Apps or Azure Functions-based integration that synchronizes MISP indicators in real time to Sentinel’s ThreatIntelligenceIndicator table (or the new ThreatIntelIndicators/ThreatIntelObjects tables in April 2025 preview). Microsoft Defender Threat Intelligence — premium TI feed natively integrated into Sentinel; retiring as standalone product August 1, 2026, merging into Defender XDR. After ingestion, threat intelligence is used for: matching against Firewall logs, DNS logs, email logs; generating TI map alerts when ingested indicators match observed network traffic; threat hunting using ThreatIntelIndicators table directly in KQL queries. Best practice: enable indicator confidence filtering, set minimum confidence threshold (typically 50–75), and configure staleness cutoff to remove aged indicators automatically.
