Bring Your Own Feed (BYOF): An Engineer’s Guide to Effective Threat Intelligence
As software continues to eat the world, and AI becomes a force multiplier for attackers, those of us tasked with defending our systems have to be more focused, deliberate, and proactive in our approaches. We have to rise up to meet this onslaught of new cyber threats.
In this article, we’ll look at threat intelligence, what it is and why it’s important, how threat intelligence feeds can help us in our daily defense, and how we can create custom threat intelligence feeds that match our organizations’ specific needs.
Threat intelligence is all the contextual information we need about potential or active cybersecurity threats to help us understand risks. These pieces of information are called threat intelligence indicators. Examples include malicious IPs, domains, malware hashes, and attacker tactics.
Threat intelligence is critical—it helps organizations detect, prevent, and respond to threats by enriching the raw security data with indicators and behavioral patterns. The most effective threat intelligence combines technical information with insights about the threat actors’ goals, methods, and infrastructure.
Threat intelligence is crucial for battling alert fatigue and noise. Too much information creates desensitization. We end up responding slowly to, or even ignoring, critical issues. The goal with threat intelligence is to make it meaningful so that we never miss an important alert.
There are several types of threat intelligence indicators. Let’s look at each along with its scope and purpose.
Threat intelligence indicators are often grouped into categories, such as atomic (single pieces of information), computed (information derived from analysis), and behavioral (what the attacker is doing).
We also often group the information into feeds—data streams of threat intelligence indicators that we use to feed our systems ongoing updates about risks and threats. That’s what we’ll focus on here.
Threat intelligence feeds can be:
-
Strategic feeds – high-level threat trends, emerging risks, and evolving attack vectors, helping with long-term planning and resource prioritization.
-
Operational feeds – active threats, monitoring the tactics, techniques, and procedures (TTPs) used by adversaries, enabling SOC teams to anticipate and defend against attacks.
-
Technical feeds – precise, actionable data (such as IP addresses, domains, and malware hashes) that can be used immediately to block known threats.
-
Tactical feeds – real-time threat data that supports rapid incident response, allowing SOCs to react quickly.
Luckily, you don’t have to build all of these feeds from scratch. Commercial vendors, government agencies, and open-source communities provide pre-built threat intelligence feeds in standard formats such as STIX 2.1 (JSON), OpenloC (XML), and MISP (JSON).
These feeds vary in scope, quality, and specialization. Some focus on nation-state actors and advanced persistent threats (APTs), while others emphasize malware campaigns, botnets, or phishing infrastructure. Security teams can choose to aggregate multiple feeds to build a comprehensive threat picture appropriate for their organization’s needs.
Examples include:
-
AlienVault OTX – a collaborative threat intelligence platform where security professionals share and consume real-time indicators of compromise (IOCs). It provides access to community-curated threat data, including IPs, domains, malware hashes, and attack patterns.
-
FBI InfraGard – a partnership between the FBI and the private sector focused on protecting critical infrastructure through trusted information sharing. InfraGard provides private threat intelligence alerts and sector-specific feeds derived from FBI investigations and partnerships with infrastructure operators.
-
Google Threat Intelligence (previously Mandiant) – delivers high-confidence IOCs, malware signatures, YARA rules, actor profiles, and campaign telemetry. Feeds are accessible via API, STIX/TAXII, and integrations with SIEM/SOAR platforms for automated detection and correlation.
But what if these feeds don’t give you everything you need? In that case, you need to BYOF! (Bring your own feed.)
Private threat intelligence feeds can be created based on your proprietary organizational needs and added to your threat intelligence systems just like industry feeds.
Ideally these private feeds are generated by sifting through your (potentially massive amount of) alerts and events, then intelligently surfacing the most relevant indicators. Once you have created your private feed, you can combine it with the standard threat intelligence feeds above. This creates a customized view of threats that allows your security team to zero in and respond to threats quickly.
But creating these private feeds can be a challenge. You need to build a system that can store, aggregate, analyze, and combine industry feeds with your private feeds as well as display the information to the security team and integrate with other common tools, all while keeping the system reliable, scalable, and secure.
Most organizations prefer to leverage a solid existing platform and focus their resources on their core competencies. Let’s look at one way this can be done. For our example, we’ll use Sumo Logic—a cloud-based log management and analytic service most people are familiar with.
With Sumo Logic, we can use both existing industry feeds and our own custom feeds. Let’s look at how to add both industry and private feeds through the web UI.
Set Up the Permissions
First, if you haven’t already, go to the administration menu and create a new role with the threat intel capabilities.
Navigate to Threat Intelligence Configuration
Now go to the Configuration menu. In the Logs section, click Threat Intelligence.
You can also just browse directly to https://service.sumologic.com/threat-intelligence.
Pre-Built Feeds
You’ll see right away that Sumo Logic already provides pre-built global threat intelligence feeds: Intel471 and CrowdStrike.
-
Intel471 provides threat intelligence focused on adversary behavior gathered from sources like the dark web and criminal forums. Its feed includes actor profiles, early warnings about planned attacks, malware and exploit kit tracking, and context-rich indicators of compromise (IOCs) tied to specific threat actors.
-
CrowdStrike delivers intelligence derived from real-time endpoint and cloud telemetry collected via its Falcon platform. It includes high-confidence IOCs, adversary attribution, and detailed insight into tactics, techniques, and procedures (TTPs) observed during live attacks, often mapped to the MITRE ATT&CK framework.
Together, these feeds give you a great start with a complementary view of the threat landscape: Intel471 focused on attacker intent and planning, and CrowdStrike on active execution and observed campaigns.
Adding a New Custom Indicator (BYOF)
But we don’t want to just use the pre-built feeds. We want to add our own custom indicator (and eventually feed). So let’s do that next.
There are three supported formats:
We’ll use JSON. Here’s an example:
{
"indicators": [
{
"id": "0001",
"indicator": "192.0.2.0",
"type": "ipv4-addr",
"source": "TAXII2Source",
"validFrom": "2023-03-21T12:00:00.000Z",
"validUntil": "2025-03-21T12:00:00.000Z",
"confidence": 30,
"threatType": "malicious-activity",
"actors": "actor1,actor2",
"killChain": "reconnaissance",
"fields": {
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"kill_chain_phase": "reconnaissance"
}
},
{
"id": "0002",
"indicator": "192.0.2.1",
"type": "ipv4-addr",
"source": "TAXII2Source",
"validFrom": "2023-03-21T12:00:00.000Z",
"validUntil": "2025-03-21T12:00:00.000Z",
"confidence": 30,
"threatType": "malicious-activity",
"actors": "actor3,actor4",
"killChain": "reconnaissance",
"fields": {
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"kill_chain_phase": "reconnaissance"
}
}
]
}
See the Threat Intelligence Indicators documentation from Sumo Logic for more details.
Custom indicators will show up after a few minutes.
Updating Indicators
As you may have noticed, this isn’t a dynamic feed that Sumo Logic can query and refresh. Instead, we created a feed that needs periodically updated with the latest threat intelligence.
Why a push-based model? This is quite common and allows Sumo Logic to maintain secure boundaries (no storage of credentials, no webhook/API at risk for attacks) and remove any reliability risks tied to external systems. This also ensures that ingestion is deliberate, standardized, and under the organization’s control.
With the above, we can now build our own private threat intelligence feed and combine it with the industry feeds above, creating a customized feed that meets our organization’s exact needs.
Building your own feed requires a plan and careful execution. Here are some questions your plan should address:
-
What threat indicators do you want to expose to Sumo Logic?
-
Do you expose a single indicator or multiple indicators?
-
How do you collect the relevant information from your system?
-
How do you filter and prepare the data?
-
How often do you upload/update indicators?
For example, let’s say we have a periodic scan of our S3 buckets to ensure they are not public. But some S3 buckets contain public assets that should have public read access. A smart private feed can compare the list of public buckets against a whitelist and upload only the public buckets not in the list.
Once you have your answers (and indicators), you build a service that collects, filters, and uploads the indicator files to the Sumo Logic API at regular intervals (or when urgent threats are detected). Sumo Logic will combine this feed with the other selected industry feeds for a customized set of indicators for your organization.
Integrating threat intelligence into your security operations is essential for staying ahead of rapidly evolving cyber threats. By leveraging both public and private threat intelligence feeds, we can gain a better understanding of the threat landscape. And ultimately, we can take faster, more precise action.
Have a really great day!