█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/Threat Feeds and ISACs
40 minIntermediate

Threat Feeds and ISACs

After this lesson, you will be able to: Distinguish IOCs from IOAs, name the major ISACs and threat-intel platforms, and ingest a free feed into a SIEM or detection workflow.

Knowing about a threat is half the job. Operationalising the knowledge, getting IoCs into your detection tools automatically, is the other half. This lesson covers what an ISAC is, how to consume threat feeds, and the distinction between indicators and behaviours.

Prerequisites:Threat Intelligence Report Writing

IoC vs IoA

Indicator of Compromise (IoC), an artefact that suggests an intrusion happened. A hash, an IP, a domain, a file path, a registry key. Indicator of Attack (IoA), a behaviour that suggests an intrusion is happening. PowerShell with -enc, scheduled tasks calling .ps1 from %TEMP%, suspicious child processes from Word. IoCs decay fast (attackers rotate infrastructure); IoAs are more durable because they encode tradecraft. Mature CTI programs prioritise IoAs over IoCs and treat IoCs as a complement, not the deliverable.

What an ISAC is

An ISAC (Information Sharing and Analysis Center) is an industry-specific group that pools threat intelligence among members. Financial Services ISAC (FS-ISAC), Healthcare ISAC (H-ISAC), Energy ISAC (E-ISAC), Multi-State ISAC (MS-ISAC, free for state/local government), Aviation ISAC, IT-ISAC. Membership is usually paid or eligibility-restricted. Most ISACs share IoCs, sector advisories, and run regular calls. If you work in a regulated industry, ISAC membership is often the most actionable feed you can get.

Free feeds worth ingesting

CISA's Automated Indicator Sharing (AIS), free, STIX/TAXII format. AlienVault Open Threat Exchange (OTX), free, community-contributed pulses. Pivot from one indicator into related actor/campaign. Abuse.ch (URLhaus, Feodo Tracker, ThreatFox), feeds for hostile URLs, banking trojan C2s, and IoCs. VirusTotal Intelligence (paid) or LiveHunt (paid feature on commercial accounts), advanced retro-hunt capability. MISP (open-source), platform you run yourself for ingesting + redistributing feeds.

Ingest a free feed into Splunk

Pick one feed, wire it into your Splunk Free instance.

  1. 1

    Sign up for AlienVault OTX (free account); generate an API key

  2. 2

    In Splunk, install the OTX add-on from Splunkbase (free)

  3. 3

    Configure the add-on with your API key; select 2-3 pulses to start (don't ingest the firehose)

  4. 4

    Wait for the index to populate; query: index=otx | stats count by indicator_type

  5. 5

    Write a correlation: 'index=mylogs sourcetype=stream:dns [search index=otx indicator_type=domain | fields domain]' to alert when a logged DNS query matches an OTX domain

  6. 6

    Document the workflow as a runbook so an analyst can act when the alert fires

💡 Feeds without action are theatre

Ingesting a feed feels productive but produces nothing if no one acts on the matches. Pair every feed with: (a) a SIEM rule that alerts on match, (b) a runbook for the analyst, (c) a feedback loop so false positives narrow over time. Otherwise the feed becomes alert noise and the SOC mutes the source.

Common mistakes only experienced CTI analysts catch

Subscribing to too many feeds. Two well-tuned feeds beats ten noisy ones. Treating feed entries as actionable without context. An IP in a feed might be Cloudflare's shared infrastructure; act on that and you'll block a benign service. Always verify with the four-tool OSINT workflow before blocking. Skipping feed expiry. IoCs decay; an IP that was C2 last year may be a legitimate VPS today. Age out indicators automatically. Forgetting attribution. A feed entry without 'why this is malicious' is unusable. Track every IoC with its source rationale.

Quick Check

Which is more durable defence: IoC or IoA?

Pick the one that survives the actor's infrastructure rotation.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Writing a Threat Intelligence Report
Back to Threat Intelligence
Threat Intelligence Resources and Next Steps→