Create a feed

A feed generates a filtered, scoped view of threat intelligence based on criteria such as TLP levels, sources, or object types. Follow this procedure to configure and activate a new feed.

Prerequisites

You must have the necessary permissions within your community to manage CTI configurations.

Procedure

Navigate to the Feeds page from the main menu.
At the top right of the page, click + Feed.
In the Define your feed section, select the Object type filters to include specific STIX objects.

Relationship handling

The feed includes only the selected object types. Relationships between objects are excluded. If you leave this field empty, all object types are included.
Select the Intelligence sources to scope the data.
Select the allowed TLP levels: White, Green, Amber, or Red.
Select whether to exclude indicators that are expired or revoked.
Click Next.
In the Configure dissemination settings section, select the sorting order.
- Select Newest to oldest for single-batch retrieval.
- Select Oldest to newest for paginated retrieval.
Select the output Format and configure its specific parameters.
Feed format specifications
- JSON / STIX — Standard for CTI platforms. Maximum 10,000 objects per call.
- Text — One object per line. Ideal for firewall EDLs. Maximum 2,000 objects per call.
- CSV — Customizable spreadsheet format. Maximum 2,000 objects per call.
- Custom — User-defined template using variables such as $tlp, $id, $name, and $observables. Maximum 2,000 objects per call.
Click Save.

The feed is now active and appears in the feed listing, ready for internal use or external dissemination.

Feeds: Understand what feeds are, how they work, available formats, and the default feed.
Manage feeds: Consume, edit, duplicate, or delete an existing feed.
Create a detection rule from a feed: Link a feed to a CTI detection rule to automatically match IOCs against your telemetry. Requires a Defend subscription.

Create a feed

Related articles