Edgewatch Threat Intelligence Feeds are ready-to-use IoC lists curated from our first-hand collections (global honeypots and direct internet telemetry). They’re designed for quick deployment into SIEM/SOAR, firewalls, TIPs, and blocklist consumers—no third-party dependence. Public feeds are linked from the CTI home page under “Download free, ready-to-use threat intelligence feeds.”
Access & authentication
- Catalog: https://cti.edgewatch.net/feeds (browse, search, and pick a feed). Some feeds are public; others may require a token.
- API Docs & TAXII: Use the CTI docs for REST usage and the TAXII 2.1 server for STIX pulls.
- Auth (when required): Authorization: Bearer <YOUR_TOKEN> (same token used for CTI API).
Formats
Each feed page offers one or more export formats. Typical options mirror industry practice delivery patterns (simple lists for direct device ingestion and richer JSON/structured formats for TIP/SIEM use):
- Plain text: one indicator per line (e.g., IPv4/IPv6, domain, URL, hash).
- CSV: tabular list with indicator + metadata columns (commonly: indicator,type,classification,tags,first_seen,last_seen,source).
- JSON: per-indicator objects with context (classification/tags, sightings, first/last seen, source).
- STIX 2.1 (via TAXII 2.1): pull curated collections with standardized objects.
Download in various formats or integrate directly into tools/connectors depending on your workflow.
Example: download & consume
cURL (plain text feed → save to file)
curl -L https://cti.edgewatch.net/feeds/<FEED_SLUG>.txt -o edgewatch-feed.txtcURL (CSV or JSON)
curl -L https://cti.edgewatch.net/feeds/<FEED_SLUG>.csv -o edgewatch-feed.csv
curl -L https://cti.edgewatch.net/feeds/<FEED_SLUG>.json -o edgewatch-feed.jsonPython (JSON feed → dict)
import requests
r = requests.get("https://cti.edgewatch.net/feeds/<FEED_SLUG>.json", timeout=30)
r.raise_for_status()
feed = r.json()
print(len(feed))TAXII 2.1 (STIX)
Point your TAXII client to the Edgewatch TAXII endpoint referenced from the CTI landing page and authenticate per your token settings to subscribe to collections.
Integration recipes
- Firewalls / Gateways (blocklists): use the TXT format (one IoC per line). Schedule a periodic fetch (e.g., every 15–60 minutes) and attach to a block/deny policy.
- SIEM/TIPs: ingest CSV or JSON; map fields:
- indicator → observable/value
- type → observable/type (ip, hostname, url, hash)
- classification → threat.severity/category
- tags → labels
- first_seen / last_seen → timestamps for correlation windows
- SOAR enrichers: for case playbooks, fetch JSON on demand and annotate tickets/alerts with classification, tags, and last-seen context.
- TAXII subscribers (OpenCTI, MISP, Elastic, Sentinel): subscribe to STIX collections for continuous ingestion.
Operational guidance
- Cadence: Feeds are updated continuously from live collections; rely on ETag/Last-Modified headers (if present) to avoid unnecessary downloads. (General best practice.)
- De-duplication: Your platform should dedupe on indicator + type; keep the most recent timestamps for correlation.
- Allow-listing: Apply local allow-lists to avoid collateral damage (esp. for shared hosting IPs/DNS).
- Rollbacks: Keep the last N versions of the feed for quick rollback if a policy change is too aggressive.
- Attribution & context: For investigations, prefer JSON/STIX formats to keep source, tags, and first/last-seen context.