🎉 ThreatConnect® 7.12 is now available! We love customer feedback. Write a review of ThreatConnect and we'll give you up to $50 as a thank-you gift!

The Feed Explorer

  • Updated on May 5, 2026
  • Published on Aug 5, 2022
  • 5 minute(s) read
Prev Next

Overview

Intelligence feeds are structured data pipelines for ingesting Indicators (e.g., IP addresses, domains, file hashes, URLs) and Groups that help users evaluate the distinct value and quality of various threat intelligence data.

The Feed Explorer displays active and inactive open-source intelligence (OSINT) and CAL feeds on your ThreatConnect® instance, along with CAL™-derived metrics and a report card for each feed that compares its performance to aggregated data. System Administrators can use these metrics to determine which feeds they want to activate on their ThreatConnect instance.

Before You Start

User Roles

  • To view the Feed Explorer, your user account can have any Organization role.
  • To view and activate feeds on the Feeds tab of the TC Exchangeâ„¢ Settings screen, your user account must have a System role of Administrator.

Prerequisites

To calculate feed metrics, enable CAL for your ThreatConnect instance and in your Organization:

  • To enable CAL for your ThreatConnect instance, select the CALEnabled checkbox on the Settings tab of the System Settings screen (must be a System Administrator to perform this action).
  • To enable CAL in your Organization, edit your Organization on the Organizations tab of the Account Settings screen and select the Enable CAL Data checkbox on the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).

Accessing the Feed Explorer

To access the Feed Explorer, do one of the following:

  • From the Automation & Feeds dropdown on the top navigation bar, select Feed Explorer.
  • (System Administrators only) From the SettingsSettings iconmenu on the top navigation bar, select TC Exchange Settings, and then select the Feeds tab.
  • While viewing a dashboard, click the Owners dropdown at the upper left, and then click Feed Explorer.

Viewing Feeds

The Feed Explorer (Figure 1) displays all active OSINT and CAL feeds on your ThreatConnect instance by default. To display both active and inactive feeds, turn off the Display Active Only toggle.

Note
If no feeds have been activated, the Feed Explorer will display all inactive feeds by default.

Figure 1_The Feed Explorer_7.12.1

 

The Feed Explorer displays the following information for each feed:

  • Name: The name of the feed. The color-coded dot next to the feed’s name indicates its reliability and uniqueness, where a green dot indicates high reliability and uniqueness and a red dot indicates low reliability and uniqueness.
  • Description: The description of the feed.
  • Unique Indicators: The percentage of Indicators unique to the feed across all CAL-monitored sources. The Unique Indicators percentage uses the following color coding
    • Green: The percentage is greater than or equal to 77%.
    • Gray: The percentage is less than 77% and greater than 21%.
    • Red: The percentage is less than or equal to 21%.
      Example
      A Unique Indicators value of 28% means that 28% of the Indicators in the feed are not present in any other CAL-monitored feed.
  • Daily Indicators: The number of Indicators that the feed ingests every 24 hours.
  • 90 Day Total: The number of Indicators that the feed ingested over the past 90 days.
  • Report Card: Click the Feed Report Card iconicon to display the feed’s report card.
  • Active: Indicates whether the feed is active (Orange%20checkmark%20icon_The%20Feed%20Explorer_7.3.1) or inactive (blank).
Note
If a feed is retired, the values in the Daily Indicators and 90 Day Total columns on the Feed Explorer will be --.

Activating Feeds

Follow these steps to activate a feed in ThreatConnect:

  1. From the SettingsSettings iconmenu on the top navigation bar, select TC Exchange Settings.
  2. Select the Feeds tab, and then locate the feed you want to activate.
    Hint
    You can review each feed’s report card to assess which feeds provide the most relevant data for your requirements.
  3. Turn on the toggle in the Active column for the feed.  

Feed Report Cards

While viewing the Feed Explorer, you can click the Feed Report Card icon icon in the Report Card column to display a feed's report card (Figure 2).

Figure 2_The Feed Explorer_7.12

 

A feed’s report card displays the following information:

  • Common Classifiers: A list of CAL Classifiers that apply to the feed.
  • Unique Indicators: This metric indicates the percentage of Indicators unique to the feed across all CAL-monitored sources. This metric helps determine which feeds have unique data and reduces the chance of enabling feeds with duplicate data. 
  • First Reported: This metric is a measure of how often the feed is the first one to report a particular Indicator when that Indicator is observed in other feeds as well. This is important when determining which feeds are appropriate for your cyber threat intelligence (CTI) collections. 
  • Scoring Disposition: This metric is a weighted average of the CAL Global Threat Score for Indicators in the feed. Each Indicator’s CAL Global Threat Score measures how important the Indicator is for triage prioritization on a scale of 0 (low) to 1000 (critical).
  • Classifier Coverage: This metric indicates the percentage of Indicators in the feed that have at least one CAL Classifier. It is a measure of how well existing analytics can qualitatively interpret the data from the feed.
  • Indicator Status Coverage: This metric indicates the percentage of Indicators in the feed that have a definitive Indicator Status set by CAL. It is a measure of how conclusively CAL’s analytics can provide quantitative statements of the data from the feed.
  • Daily Indicators: This metric is a sparkline depiction of the number of Indicators that the feed ingested daily over the last 30 days.

The Unique Indicators, First Reported, Scoring Disposition, Classifier Coverage, and Indicator Status Coverage metrics use the following visual elements to put the feed’s data in context with other feeds:

  • Horizontal Black Line: The horizontal black line represents the metric value for the feed (that is, the value displayed to the right of the bullet graph).
    Example
    In Figure 2, the black line for the Unique Indicators metric represents a value of 99%, where the left side of the chart is a value of 0% and the right side of the chart is a value of 100%.
  • Vertical Orange Line: The vertical orange line represents the target value of the metric across all feeds. The target value is calculated by CAL for each specific metric.
    Example
    In Figure 2, the Unique Indicators value of 99% for abuse.ch URL Haus is more than the target value of this metric across all feeds. This indicates that, on average, abuse.ch URL Haus provides a larger number of unique Indicators than other feeds do.
  • Colored Bands: The red, yellow, and green bands represent algorithmically-derived segments of each quality compared across all OSINT feeds. Red signifies a bad performance range, yellow a medium range, and green a good range.
    Example
    In Figure 2, the Unique Indicators value of 99% falls in the good range, while the Classifier Coverage value of 14% falls in the bad range.

ThreatConnect® is a registered trademark, and TC Exchange™ and CAL™ are trademarks, of ThreatConnect, Inc.

20104-01 v.04.B

Related articles
Company
Sales and Support
Follow Us
© 2012–2024 ThreatConnect, Inc. All Rights Reserved.