Threat intelligence feeds: IOCs that meet your assets
Subtitle: External feeds + internal telemetry — correlated, not copy-pasted into spreadsheets.
Dual-Strike XISEM Threat Intelligence integrations ingest IOC feeds (hashes, domains, IPs, URLs) and match them against agent harvests, DNS logs, browsing sessions, and EDR exports. Matches elevate in Threat Center and can trigger COBRA² rules.
Route: Settings → Threat Intelligence · Support wiki → Threat intelligence feeds
Feed types
TypeExample sources (wiki index) Commercial TIPartner feeds via API Open sourceSTIX/TAXII compatible lists ISAC / sectorClient-specific sharing agreements InternalYour own block lists from prior incidents
Match surfaces
Browsing Insights — domain/URL reputation hits
Asset modal — file hash on disk vs. feed
Network — DNS query to known C2 domain
Email — attachment hash from Proofpoint/M365 path
Tuning for false positives
Start feeds in alert-only mode per client
Require 2-of-N correlation for auto-ticket (e.g., DNS hit + process execution)
Exclude known CDN domains via MSP baseline exception list
Review weekly top matched IOCs — retire stale entries
MSP differentiator
Most SMB clients cannot operate a TI platform. You operationalize feeds once at MSP tier, inherit downstream to clients with appropriate data sharing contracts.
Compliance angle
Threat intelligence usage satisfies monitoring and analysis controls in NIST, SOC 2, and CMMC when documented with feed source, update cadence, and match response procedures.
Related: COBRA² guide · Email security layer · Threat Center
Feed credentials stored per integration policy — never publish API keys in newsletters.

