Skip to main content
All Posts
Cyber Threat Intelligence
SIEM
Splunk
Threat Intelligence Platform
ThreatStream
Anomali
1
min read

Generating Your Own Threat Intelligence Feeds in ThreatStream

Recently we launched a feature that allows you to create your own threat intelligence feeds in CSV, JSON and STIX format. They're super simple to setup...
David Greenwood
Published on
February 14, 2018
Table of Contents

Getting threat intelligence into your existing security products - SIEMs, endpoints, network tools -- can significantly enhance their effectiveness and longevity. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer.

Recently we launched a feature that allows you to create your own threat intelligence feeds in CSV, JSON and STIX format for consumption by other products. They're super simple to setup...

Step One: Create a Saved Search

Use ThreatStream's search functionality to define the type of indicators you want to include in your feed. I used the search:

(itype="mal_domain") and (status="active") and (confidence>=95)

Translated into English; only include malware domain indicators type that are currently reported as active with a very high confidence score of 95 assigned by ThreatStream.

Once the constraints meet the requirements for your feed, select "save as" to convert it into a saved search you can use across ThreatStream.

Step Two: Create a Custom Integration

In ThreatStream navigate to: Settings > Integrations > New Integration

The pop-up modal will allow you to configure the settings for your feed including:

  • The search filter (set in step one)
  • The feed format (JSON, CSV or STIX)
  • The fields to be included in the feed (35 available to select)

Once you hit save, ThreatStream will create a custom URL for your feed.

Step Three: Add Your Feed to Your Existing Products

You can now use the URL generated in step two as a feed source to any products that can ingest threat feeds in the configured format.

The feed is updated on a set schedule. If you're asked for a polling interval make sure to set it equal to this schedule so you're not making more requests than necessary.

My Product Does Not Support CSV, JSON or STIX Inputs

There are currently 30+ native integrations supported by ThreatStream -- Splunk, QRadar, Arcsight, Carbon Black, Palo Alto Networks.

Trying to do integrate with a product that's a little more niche? Get in touch with our partnership team to explore a potential integration.

FEATURED RESOURCES

January 13, 2026
Anomali Cyber Watch

Anomali Cyber Watch: Cisco ISE Flaw, Ni8mare, N8scape, Zero-Click Prompt Injection and more

Anomali Cyber Watch: Cisco ISE Flaw Enables Arbitrary File Read via Administrative Access. Ni8mare and N8scape Vulnerabilities Expose n8n Automation Platforms to Full Compromise. Zero-Click Prompt Injection Abuse Enables Silent Data Exfiltration via AI Agents. Phishing Attacks Exploit Misconfigured Email Routing to Spoof Internal Domains. Ransomware Activity in the U.S. Continued to Rise in 2025. Android Ghost Tap Malware Drives Remote NFC Payment Fraud Campaigns. Black Cat SEO Poisoning Malware Campaign Exploits Software Search Results. MuddyWater Upgrades Espionage Arsenal with RustyWater RAT in Middle East Spear-Phishing. China-Linked ESXi VM Escape Exploit Observed in the Wild. Instagram Denies Data Breach Despite Claims of 17.5 Million Account Data Leak
Read More
January 6, 2026
Anomali Cyber Watch

Anomali Cyber Watch: OWASP Agentic AI, MongoBleed, WebRAT Malware, and more

Real-World Attacks Behind OWASP Agentic AI Top 10. MongoDB Memory Leak Vulnerability “MongoBleed” Actively Exploited. WebRAT Malware Spread via Fake GitHub Proof of Concept Exploits. Trusted Cloud Automation Weaponized for Credential Phishing. MacSync macOS Stealer Evolves to Abuse Code Signing and Swift Execution. Claimed Resecurity Breach Turns Out to Be Honeypot Trap. Cybersecurity Professionals Sentenced for Enabling Ransomware Attacks. Google Tests Nano Banana 2 Flash as Its Fastest Image AI Model. RondoDox Botnet Exploits React2Shell to Hijack 90,000+ Systems. Critical n8n Expression Injection Leads to Arbitrary Code Execution
Read More
December 23, 2025
Anomali Cyber Watch

Anomali Cyber Watch: SantaStealer Threat, Christmas Scams of 2025, React2Shell Exploit, Phishing via ISO, and more

SantaStealer Infostealer Threat Gains Traction in Underground Forums. From Fake Deals to Phishing: The Most Effective Christmas Scams of 2025. React2Shell Exploitation Expands With New Payloads and Broader Targeting. Russian Phishing Campaign Delivers Phantom Stealer via ISO Attachments. And More...
Read More
Explore All