Back to Documentation
Threat Intelligence Platform (TIP)

Lists

Lists

The Lists feature in the Threat Intelligence application allows users to create, manage, and categorize collections of IOCs (Indicators of Compromise). These lists help in organizing threat data effectively and can be used in both offensive and defensive cybersecurity workflows.

What is a List?

A List is a user-defined collection of IOCs that may include:

  • IP addresses
  • Domains
  • URLs

Each list serves a purpose, such as tracking blacklisted (malicious) or whitelisted (trusted) IOCs.

Key Features

  • IOC Collection: Add multiple IOCs of different types (IP, domain, URL) to a list.
  • Categorization: Assign each list a category such as:
    • Malware
    • Botnet
    • Phishing
    • Exploit
    • Spam
    • Whitelist
  • Expiry Days: Lists have an expiry period from the creation or last modification. If the list is not updated or new IOCs are not added, it will be flagged for review upon expiry.
  • Auto-Refresh: Adding or updating IOCs resets the expiry timer, keeping the list active.
  • Tagging & Notes (optional): Add metadata to provide context for each IOC.
  • Search & Filter: Quickly find lists and IOCs based on keywords, type, or category.
  • Reusable Lists: Use the created lists across different modules like detection, enrichment, or alerting.

Use Cases

Use CaseDescription
BlacklistingCreate a list of known malicious IOCs (e.g., botnet IPs) to block or monitor.
WhitelistingMaintain trusted IOCs to reduce false positives during detection.
Threat ResearchCurate IOCs related to a specific campaign or malware family.
Threat SharingShare categorized lists with other tools or teams.
Time-based ValidityEnsure lists stay up-to-date by requiring periodic updates or automatic expiry.

Creating a List

  1. Navigate to the Lists section.
  2. Click “Create New List”.
  3. Provide the following:
    • List Name
    • Description (optional)
    • Category (e.g., Malware, Botnet, Whitelisted)
    • Expiry Days (e.g., 30 days)
  4. Add one or more IOCs:
    • Type: IP, Domain, or URL
    • Value: e.g., 192.168.0.1, malicious[.]com, http://bad.url/path
    • Tags/Notes (optional)
  5. Save the list.

Note: Adding or modifying IOCs automatically refreshes the expiry countdown.

List Visibility and Sharing

Lists in the Threat Intelligence platform can be created as either Public or Private.

Private Lists

  • Only visible to the list creator.
  • Ideal for internal threat intelligence or sensitive research.

Note: Private lists owned by an organization can able to share with individuals or other organizations.

Public Lists

  • Visible to all users on the platform.
  • Designed for community-driven intelligence sharing.
  • Can be subscribed to, liked, or disliked by the community.
  • Anyone can view and export the list for operational use (e.g., SIEMs, firewalls).

Community Features (Public Lists Only)

Public lists support community engagement through:

  • 👍 Likes and 👎 Dislikes to gauge list quality and usefulness.
  • 🔔 Subscribers who follow the list for updates and changes.
  • 📢 Created by Organization: Public lists may be published under an organization name, allowing users to trust lists from known cybersecurity groups or vendors.

Organization-owned lists can be:

  • Public: shared with everyone
  • Private: shared only with select users or trusted organizations

Adding Indicators to a List

There are three ways to add IOCs to a list:

1. Manual Entry

  • Use the “Add Indicators” interface to:
    • Input one or multiple indicators
    • Paste raw text that contains IOCs (e.g., logs, emails)
  • The system will automatically extract valid indicators from the input.

Supported formats:

  • 192.168.1.1
  • malicious[.]com
  • http://bad.url/path

2. Import via URL

  • Enter a URL that hosts or contains indicators (e.g., open feeds, pastebins, threat blogs).
  • The system will:
    • Fetch the content
    • Extract valid IOCs automatically (IP, domain, URL)
    • Add them to the list

Only trusted URLs should be used to avoid ingestion of false or malicious data.

3. Upload File (CSV/XLSX)

  • Upload an .xlsx or .csv file containing indicators.
  • The file must follow a predefined format for parsing:

Supported Format:

Indicator Tags Description tlp

IndicatorIndicator_TypeTagsDescriptiontlp
8.8.8.8IPv4DNS,GooglePublic DNS1
phishing-site.comDomainFakeLoginSuspicious2
  • Columns should include:
    • Indicator Type: IPv4,IPv6, Domain, URL
    • Indicator: actual IOC
    • tlp (Traffic Light Protocol) : number range (1 - 6)
    • (Optional) : Tags, Description

Invalid rows will be skipped with an error message shown after upload.

Best Practices

  • Use Add Requests for collaboration while maintaining list integrity.
  • Periodically review and audit submitted requests and indicator sources.
  • Make use of automated scraping and file uploads for bulk ingestion and feed processing.

Exporting Lists

Lists can be exported as files and also through Link to integrate with external systems. Exporting enables:

  • Firewall ingestion (e.g., blocking IPs/domains)
  • SIEM or SOAR automation
  • Threat hunting tools
  • Custom scripts and enrichment pipelines

How It Works:

  1. Select IOC List from IOC's List.
  2. Select Export, Choose anyone among the dropdown "Export CSV/ XLSX/ Link"

False Positive Reporting

To ensure accuracy, users can report false positives on IOCs within public or shared lists.

How It Works:

  1. Select Indicator(s) you believe are false positives.

  2. Click “Report False Positive”.

  3. Your report will appear in the False Positives tab under the list.

  4. A discussion thread allows all collaborators (users/orgs) to:

    • Review context
    • Provide evidence
    • Discuss the indicator’s legitimacy

  5. A decision is then made to either:

    • Retain the IOC
    • Remove or modify the IOC

This collaborative approach helps reduce false detections and improves list quality.

Add Request System (For Shared Lists)

Shared lists (private lists shared with users or organizations) support a collaborative feature called Add Requests.

This allows external users or organizations with access to the list to suggest indicators to be added, without modifying the list directly.

How It Works:

  1. Navigate to a shared list you have access to.

  2. Click "Add Request".

  3. Submit one or more indicators (IPs, domains, URLs).

  4. Optionally, provide:

    • Tags or categories
    • Context or description
    • Source of the IOC

  5. The list owner/admin will receive a notification and can:

    • Approve and add to the list
    • Reject the request

Only shared users can submit Add Requests. Public lists do not support this feature currently.

Summary of List Capabilities

FeaturePrivate ListsPublic Lists
VisibilityCreator / Org onlyEveryone
SharingSpecific users/orgsNot required
Export as CSV✅ Yes✅ Yes
Likes/Dislikes❌ No✅ Yes
Subscribers❌ No✅ Yes
Organization Ownership✅ Yes✅ Yes
False Positive Reporting✅ If shared✅ Yes