Background
Security teams and analysts constantly encounter security alerts and need immediate context and enrichment to identify “friend or foe”, and go deeper to classify addresses to associate with known threats.
​
The new Insights Threat Feed from Team Cymru is easily ingested into your SIEM or TIP and provides enriched intelligence you need to identify and respond threats faster and more accurately.
What Is It?
A global threat intelligence feed containing daily, in-depth information on over 30 Million IP addresses and CIDRs.
This valuable intelligence is observed on the internet and contains indicators to categorize IP’s using Tags and additional details. This information enables analysts to classify and categorize IP addresses and increase reaction and response capabilities.
Tagging helps identify if an IP or CIDR is affiliated with botnets, scanners, IoT, mobile, router, etc. These tags will help you identify, monitor, and block harmful IPs to protect from various threats.
Delivered through an API as JSON file and with STIX* format through the TAXII* protocol.
Features
.png)
Integrating the Insights Feed using STIX and TAXII offers a powerful way to exchange threat intelligence between organizations and systems in a structured, standardized, and automated manner.
Integrations using TAXII are available for Google SecOps, Microsoft Azure Sentinel and Palo Alto XSOAR.
​​​
Integration with Splunk through a dedicated Splunk App.
​​​
Automation (SOAR) platforms such as Palo Alto Cortex SOAR and Tines can easily ingest the Insights feed through API.
Tag Family Names
cdn
proxy
cloud
residential
risknet
honeypot
router
ics
satellite
iot
scanner
malware
shared-host
messaging
sinkhole
mobile
tarpit
nas
tor
openresolvers
top-site
ost
vpn
Tag families have sub-tags
Example: Controller family has 214 controller types
Use cases
Security alert triage and management
Quickly assess alerts on IPs for the identification and mitigation of threats. Enhance and enrich security incident investigations with actionable insights.
Integration in TIPs, SOARs and SIEMs
Integration into monitoring tools for enrichment, which is then reflected in security logs, dashboards, and reports.
Correlation
Enhance threat detection by correlating events with the nature of IP addresses, improving incident detection accuracy. Enrich threat data, making it easier to identify and respond to threats based on the nature of the IP addresses involved.
Inform Access Control Policies
Configure access control or firewall rules to block traffic from certain IPs based on their tags and insights (e.g. malicious IPs).
Endpoint (EPP/EDR) and MDR Integration: Incident Response
Consolidate tools, reduce alert fatigue, and provide real-time intelligence to enable faster, more accurate threat investigations. Empower SOC and IR teams t These tools can use IP tags and insights to prevent endpoints from connecting to or receiving traffic from dangerous IPso make informed decisions and improve defenses.
Who Will Benefit?
SOC Analyst
Needs real-time, actionable threat data to filter false positives and focus on critical threats. Sort our alerts.
Incident Responder
Requires enriched data for fast threat correlation and incident management.
Threat Hunter
Seeks comprehensive data to proactively identify hidden threats and emerging vulnerabilities – typically will leverage the feed with other sources.
IT Security Architect
Requires customizable threat data that integrates with existing security infrastructure. Leverage data in the feed to tweak network security policies.
CISOs
Receive trategic insights to assess risk and guide cybersecurity investments. Leverages the feed along with other data and/or through platforms to get executive-level reports.
Managed Security Service Providers (MSSPs)
Leverage the feed to enhance threat detection capabilities and integrate in their own solutions.
_edited_edited_edi.png)