Threat Intelligence Feed Collection

Overview

KYRA MDR integrates with leading threat intelligence feeds to automatically collect Indicators of Compromise (IOCs) — malicious IPs, domains, file hashes, URLs, and email addresses. These indicators are continuously correlated against your environment’s security events to detect known threats in real time.

The TI collection system operates on a scheduler-driven model: each feed is independently configured with its own sync interval, API credentials, and status tracking. The platform checks every 5 minutes for feeds that are due for synchronization and fetches new indicators automatically.

Supported Feed Types

Core Feeds (API key required)

Feed	Description	IOC Types	Free Tier
AlienVault OTX	Open Threat Exchange — community-driven IOC sharing	IP, domain, hash, URL, CVE	Free
AbuseIPDB	IP abuse reporting and blacklist	IP addresses	1,000 checks/day
VirusTotal	Multi-engine malware analysis	File hashes, URLs, domains, IPs	500 req/day
GreyNoise	IP noise classification (scanners vs targeted)	IP addresses	Community tier

abuse.ch Ecosystem (free, no API key required)

Feed	Description	IOC Types
URLhaus	Malware distribution URL tracking	URLs
ThreatFox	Community IOC sharing linked to malware families	IPs, domains, URLs, hashes
Feodo Tracker	Botnet C2 server tracking (Emotet, Dridex, QakBot)	IP addresses, ports
MalwareBazaar	Malware sample hash repository	File hashes (MD5, SHA-256)
SSL Blacklist	Malicious SSL certificate fingerprints	SSL/JA3 fingerprints

IP / Domain Reputation (free, open data)

Feed	Description	IOC Types
Emerging Threats Open	IDS rules and IP blocklists	IP addresses
Spamhaus DROP	Don’t Route Or Peer — critical IP blocklist	IP/CIDR ranges
DShield / SANS ISC	Top attacking IPs from global sensor network	IP addresses

Phishing Feeds

Feed	Description	IOC Types
PhishTank	Community-verified phishing URLs	URLs
OpenPhish	ML-detected phishing URLs	URLs

Vulnerability Intelligence

Feed	Description	IOC Types
CISA KEV	Known Exploited Vulnerabilities catalog	CVE IDs

Community Platforms

Feed	Description	IOC Types
MISP	Malware Information Sharing Platform (self-hosted or community instances)	All IOC types

Custom Feeds

Feed	Description	Format
Custom STIX	Any STIX 2.1 JSON feed URL	STIX 2.1 bundles
Custom CSV	Any CSV-formatted indicator feed	CSV with headers

How It Works

flowchart LR
    FEEDS[External Feeds] -->|API calls| SCHEDULER[Feed Scheduler]
    SCHEDULER -->|Every 5 min check| SYNC[Sync Engine]
    SYNC -->|Parse & validate| UPSERT[IOC Database]
    UPSERT -->|Correlate| ALERTS[Alert Engine]
    ALERTS -->|Enriched alerts| CONSOLE[Management Console]

Collection Flow

Configuration — Analysts configure feeds via the Management Console (Threat Intelligence → Feeds tab), providing feed type, API key, and sync interval.
Scheduling — The feed scheduler runs every 5 minutes and checks each enabled feed’s last sync time + interval. Only feeds that are due are synced.
Ingestion — For each due feed, the sync engine:
- Calls the feed’s API with the configured credentials
- Parses the response (JSON, STIX 2.1, or CSV format)
- Validates each indicator (IPv4 format, domain format, hash length, etc.)
- Upserts indicators into the tenant-scoped IOC database
Enrichment — Collected IOCs are automatically used to:
- Enrich alerts with threat context (severity, confidence, tags)
- Correlate against incoming log events for IOC-based detection
- Provide on-demand lookup results in the Management Console
Lifecycle — Each indicator has a validity window (validFrom / validUntil). Expired indicators are automatically cleaned up daily at 3:00 AM.

Feed Management

Adding a Feed

Navigate to Threat Intelligence → Feeds tab and click Add Feed:

Field	Description
Feed Name	Display name for the feed (e.g., “AlienVault OTX”)
Feed Type	Select from supported types (OTX, AbuseIPDB, VirusTotal, MISP, Custom STIX, Custom CSV)
Feed URL	Required for custom feeds; auto-configured for built-in types
API Key	Authentication key for the feed provider
Sync Interval	How often to fetch new data (15 min, 30 min, 1 hr, 6 hr, 12 hr, 24 hr)
Enabled	Toggle to activate/deactivate the feed

Feed Status

Each feed displays a real-time status:

Status	Meaning
Active (green)	Feed is enabled and last sync was successful
Syncing (yellow)	Sync is currently in progress
Error (red)	Last sync failed — check error details on the feed card
Inactive (gray)	Feed is disabled

API Key Security

API keys are never exposed in API responses or the UI
The console shows only a masked hint (e.g., ****abcd)
Keys are stored server-side and transmitted only during feed sync calls
Each feed’s credentials are scoped to the tenant

Indicator Types

The platform processes and stores the following indicator types:

Type	Example	Validation
IPv4	`185.220.101.34`	Standard dotted quad notation
Domain	`login-microsoftonline.tk`	RFC-compliant domain names
Hash (MD5)	`d41d8cd98f00b204e9800998ecf8427e`	32 hexadecimal characters
Hash (SHA-256)	`a1b2c3d4e5f6...` (64 chars)	64 hexadecimal characters
URL	`https://malware.example.com/payload`	Full URL with scheme
Email	`phishing@evil.example.com`	Email address format
CVE	`CVE-2024-3400`	CVE-YYYY-NNNN+ format

Sync Intervals & Recommendations

Feed	Recommended Interval	Rationale
OTX	1 hour	Subscribed pulses update frequently
AbuseIPDB	6 hours	Blacklist updates moderately
VirusTotal	6 hours	Rate limits on free tier
URLhaus / ThreatFox	1 hour	High-frequency community submissions
Feodo Tracker	6 hours	C2 infrastructure changes moderately
MalwareBazaar	6 hours	New samples submitted daily
SSL Blacklist	12 hours	Certificate lists update less frequently
Emerging Threats	12 hours	IP lists updated periodically
Spamhaus DROP	24 hours	DROP list is fairly stable
DShield	6 hours	Top attackers shift throughout the day
PhishTank / OpenPhish	6 hours	Phishing URLs have short lifespan
CISA KEV	24 hours	Updated as new exploits are confirmed
GreyNoise	6 hours	Scanner classifications change daily
MISP	1 hour	Event feeds can be high-volume
Custom STIX/CSV	Depends on source	Match the source’s update frequency

Note: The scheduler checks every 5 minutes, so the actual sync time may be up to 5 minutes after the interval expires.

IOC Statistics

The Threat Intelligence page provides real-time statistics:

Total IOCs — Number of active (non-expired) indicators
Critical Indicators — Count of critical-severity IOCs
Active Feeds — Number of enabled and healthy feeds
Average Confidence — Mean confidence score across all indicators

Per-feed statistics are shown on each feed card:

IOC Count — Total indicators collected from this feed
Last Sync — When the feed was last synchronized
Interval — Configured sync frequency

Caching & Performance

In-memory lookup cache with configurable TTL (default: 60 minutes)
Cache holds up to 50,000 entries with automatic eviction
Cache is cleared after every feed sync to ensure freshness
Expired cache entries are evicted every 15 minutes

Permissions

Action	Required Permission
View feeds and IOCs	`threat_intel:read`
Add/edit/delete feeds	`threat_intel:write`
Trigger manual sync	`threat_intel:write`
Add manual IOCs	`threat_intel:write`

All data is tenant-isolated — each tenant’s feeds and IOCs are completely separate.

Getting Started

Navigate to Threat Intelligence in the sidebar
Click the Feeds tab
Select a feed (e.g., AlienVault OTX) and click Edit
Enter your API key and set the desired sync interval
Toggle Enabled and save
Click Sync Now to trigger the first collection
Switch to the Indicators tab to see collected IOCs