Threat Feeds

Built-in Threat Feeds

By default, Skylight Interceptor uses various open source threat feeds. These can be found in Treat Feeds within the Settings section.

Viewing Built-in Threat Feeds

► To view the built-in threat feeds from the settings section:

1. Go to Settings ► Security ► Threat Feeds

Built-in threat feeds can be disabled, but they can not be deleted from Interceptor.

You can add tags to a threat feed to make it easier to categorize or search.

Custom Threat Feeds

You can also add your own threat feeds from the settings section. Custom threat feeds allow you to upload malicious IPs, URLs, Domains and JA3 hashes.

Adding Custom Threat Feeds

► To add threat feeds from the Treat Feed section:

1. Go to Settings ► Security ► Threat Feeds
2. Click the Add button
   A popup window appears where you can enter details and upload your csv file and add tags.
3. Click the Save changes button.

Important Requirements

Threat feed data requires a valid CSV file, with the following:

• Header column must contain one of the following:
  • ip, url, domain, or ja3 columns
• Values in rows must be comma-separated, not quoted
• IP column must contain IPv4 values in dot-decimal notation (e.g. 192.168.0.1)
• Comments (lines starting from #) and empty lines are allowed (will be ignored).
• Empty values are ignored.

Example:

# This is a malicious IP & domains list created for demo purposes
# Do not use these values in production !!
# Keep in mind:
#    a) Header row must be there first row after comments (comments are optional).
#    b) Can be one or more columns. If there are two or more columns, use comma to separate values.

ip
1.2.3.4
1.2.3.5

Important Details to Consider

• Newly created threat feeds are available immediately.
• Enabling or disabling a threat feed is reflected immediately.
• Changed data (after re-upload) is available in approximately one hour.