Overview
To help inform Blumira’s platform of new threats and relevant security information, Blumira ingests different types of intelligence feeds. Those include threat feeds, informational/risk feeds, and safe feeds. The data from these feeds are leveraged by Blumira's conditions and analysts to enhance our detections and enrich our platform's data. See About Blumira's dynamic blocklists for additional information.
These feeds are defined by their weight, 1-100, with 100 being the most valid source. We include this weighting because threat feeds vary heavily in their quality and can only be leveraged if trusted.
Threat Feeds
A threat feed is a known-bad object feed. In general, an object in a threat feed is a known-bad IP, CIDR, ASN, Hash, Domain, or Path associated with some sort of source. This source is further expanded by the use of honeypots and will be growing as Blumira builds additional internet-based honeypots.
Threat feeds that Blumira ingests are:
- Internal Blumira threats – Indicators of compromise (IOCs) from findings
- Internal Blumira data – Honeypots and gathered IOCs
- Abuse.ch Feodo Tracker
- Abuse.ch SSL Blocklist
- Abuse.ch URLHaus
- Alienvault (AT&T) Open Threat eXchange – API Integration
- Alienvault (AT&T) IP Reputation
- Collective Intelligence Network Security (CINS) – CI Badguys
- Bad IPs
- Blocklist.de
- Bambenek Consulting – C&C domains
- Bambenek Consulting – C&C IPs
- DFIR Report threat feeds
- Emerging Threats Intelligence – Proofpoint – Compromised IPs
- AbuseIPDB – Bad IPs
- DShield – Suspicious domains
Informational/Risk Feeds
We use informational and risk feeds to determine if an IP is either risky or useful to Blumira. These could be used for purposes ranging from identifying anonymous traffic to ensuring that communication only occurs within AWS. When an ASN is identified, all subnets and IPs for IPv4 and IPv6 are gathered and stored associated with that organization.
Informational feeds that Blumira ingests include:
- Tor Exit Node IPs
- I2P Exit Node IPs
- Anonymous IPs, e.g., Private Internet Access IPs
- Censys Subnet
- Google ASN
- Google Cloud Platform ASN
- Microsoft ASN
- Azure ASN
- AWS ASN
- DigitalOcean ASN
- Rackspace ASN
- OVH ASN
- Government ASNs
Safe Feeds
We use safe feeds for assets that are known to be safe and have assigned objects to that content.
Safe feeds that Blumira ingests include:
- Known Safe Binary Hashes
- Known Safe IPs
- Qualys ASN (Corporate Cloud Scanning)
- Tenable Nessus Cloud ASN (Corporate Cloud Scanning)