IOC Feeds
Defend ingests indicators of compromise (IOCs) from multiple threat intelligence feeds and matches them against your endpoint telemetry in real time. When an endpoint communicates with a known-bad IP, resolves a malicious domain, or executes a file with a known-bad hash, Defend generates a detection.
Built-In Feeds
| Feed | Source | Indicator Types | Confidence | Update Frequency |
|---|---|---|---|---|
| MalwareBazaar | abuse.ch | SHA256 file hashes | 90 | Every 6 hours |
| ThreatFox | abuse.ch | IPs, domains, hashes, URLs | 70 | Every 6 hours |
| URLhaus | abuse.ch | Malicious domains and URLs | 70 | Every 6 hours |
| AlienVault OTX | AlienVault | Hashes, IPs, domains, URLs | 75 | Every 6 hours |
| VirusTotal | VirusTotal | Hash lookups (on-demand) | 0–100 | On-demand (rate-limited) |
| MSP Collective | Cross-MSP intelligence | Hashes, IPs, domains | Varies | Continuous |
How IOC Matching Works
- IOC feeds refresh every 6 hours and populate the IOC cache (Cosmos DB with 24-hour TTL) and the ThreatIntel table in ADX
- Detection rules query telemetry against the IOC dataset
- When a match is found — e.g., a process connects to an IP listed in ThreatFox — a detection is created
- The detection includes the IOC source, confidence score, and the telemetry event that matched
IOC-Specific Detection Rules
- IOC-001 — File hash match (process executed with a hash in the blocklist)
- IOC-002 — Network IOC match (connection to a known-bad IP or domain)
- IOC-003 — URL IOC match (HTTP request to a known-malicious URL)
Feed Deduplication
IOCs are deduplicated across feeds using a composite ID: source-ioc_type-ioc_value. If the same IP appears in both ThreatFox and OTX, both entries are stored but only one detection fires per match. The detection references all sources that flagged the indicator.
Adding Custom IOC Feeds
To add your own threat intelligence:
- Navigate to Settings → IOC Feeds → Custom Feeds
- Provide the feed URL (must return CSV or JSON with hash/IP/domain/URL fields)
- Set the confidence score and refresh interval
- Defend begins ingesting and matching against your custom indicators
Reporting False Positives
If a legitimate service is flagged by an IOC feed:
- Open the detection
- Click Report False Positive
- Specify whether to suppress this IOC for your organization only or report it to the feed provider
- The IOC is excluded from future matching for your organization
ℹ️False positive reports for built-in feeds are aggregated. If multiple Defend customers report the same IOC as a false positive, it is automatically reviewed and may be removed from the feed.
VirusTotal Integration
VirusTotal lookups work differently from bulk feeds:
- Hashes are submitted on-demand during investigations or when a process hash isn't in any feed
- Rate-limited to 4 requests per minute (free tier)
- Results are cached in the IOC cache for 24 hours
- Confidence score maps directly from VirusTotal's detection ratio
Next Steps
- Cross-MSP Intelligence — How the Collective feed works
- Detection Rules — IOC rules alongside behavioral and signature rules
- Threat Investigation — IOC indicators in the investigation workspace