The Lists feature in the Threat Intelligence application allows users to create, manage, and categorize collections of IOCs (Indicators of Compromise). These lists help in organizing threat data effectively and can be used in both offensive and defensive cybersecurity workflows.
A List is a user-defined collection of IOCs that may include:
Each list serves a purpose, such as tracking blacklisted (malicious) or whitelisted (trusted) IOCs.
| Use Case | Description |
|---|---|
| Blacklisting | Create a list of known malicious IOCs (e.g., botnet IPs) to block or monitor. |
| Whitelisting | Maintain trusted IOCs to reduce false positives during detection. |
| Threat Research | Curate IOCs related to a specific campaign or malware family. |
| Threat Sharing | Share categorized lists with other tools or teams. |
| Time-based Validity | Ensure lists stay up-to-date by requiring periodic updates or automatic expiry. |
192.168.0.1, malicious[.]com, http://bad.url/pathNote: Adding or modifying IOCs automatically refreshes the expiry countdown.
Lists in the Threat Intelligence platform can be created as either Public or Private.
Note: Private lists owned by an organization can able to share with individuals or other organizations.
Public lists support community engagement through:
Organization-owned lists can be:
- Public: shared with everyone
- Private: shared only with select users or trusted organizations
There are three ways to add IOCs to a list:
Supported formats:
192.168.1.1malicious[.]comhttp://bad.url/pathOnly trusted URLs should be used to avoid ingestion of false or malicious data.
.xlsx or .csv file containing indicators.Indicator Tags Description tlp
| Indicator | Indicator_Type | Tags | Description | tlp |
|---|---|---|---|---|
| 8.8.8.8 | IPv4 | DNS,Google | Public DNS | 1 |
| phishing-site.com | Domain | FakeLogin | Suspicious | 2 |
Indicator Type: IPv4,IPv6, Domain, URLIndicator: actual IOCtlp (Traffic Light Protocol) : number range (1 - 6)Tags, DescriptionInvalid rows will be skipped with an error message shown after upload.
Lists can be exported as files and also through Link to integrate with external systems. Exporting enables:
To ensure accuracy, users can report false positives on IOCs within public or shared lists.
Select Indicator(s) you believe are false positives.
Click “Report False Positive”.
Your report will appear in the False Positives tab under the list.
A discussion thread allows all collaborators (users/orgs) to:
A decision is then made to either:
This collaborative approach helps reduce false detections and improves list quality.
Shared lists (private lists shared with users or organizations) support a collaborative feature called Add Requests.
This allows external users or organizations with access to the list to suggest indicators to be added, without modifying the list directly.
Navigate to a shared list you have access to.
Click "Add Request".
Submit one or more indicators (IPs, domains, URLs).
Optionally, provide:
The list owner/admin will receive a notification and can:
Only shared users can submit Add Requests. Public lists do not support this feature currently.
| Feature | Private Lists | Public Lists |
|---|---|---|
| Visibility | Creator / Org only | Everyone |
| Sharing | Specific users/orgs | Not required |
| Export as CSV | ✅ Yes | ✅ Yes |
| Likes/Dislikes | ❌ No | ✅ Yes |
| Subscribers | ❌ No | ✅ Yes |
| Organization Ownership | ✅ Yes | ✅ Yes |
| False Positive Reporting | ✅ If shared | ✅ Yes |