Configuring the ThreatList SIEM service.


ThreatLIST provides SIEM enrichment options for network, security, and incident response professionals.

Our database of IP addresses and domain IOCs can be used to enhance research and forensics, local reporting and network traffic correlation, and as a data enrichment tool for SIEM software (Splunk, QRadar, ArcSight, LogRhythm…).

ThreatSTOP’s ThreatLIST allows you to consume dynamically updated information about the threats targeting, or already present within your network.

ThreatLIST is easily configured to:

  • Include the security policy categories meaningful to you.
  • Integrate with your existing hardware and software platforms.
  • Contain the desired historical and contextual meta data about IOCs.

Access to this feature

Access to this feature must be enabled in your product plan. Please contact your ThreatSTOP representative if your current plan doesn’t include it.

Data Formats

ThreatSTOP SIEM integration is available in Splunk, Suricata and Domain-Only formats.

  • Splunk files are in a CSV format with the following headers:
    "IOC","Category","SubCategory","Severity","FirstSeen","LastSeen","Geo","IOC Type"
  • Geo field is ISO-8859 encoded. All other fields are 7 bit ascii.

  • Suricata files are formatted with one IoC per line with the following default format:
    'alert ip [%ioc] any -> any (msg: "[%blocker_desc %blocker_type]"); priority: %priority; sid: %sid;)'
  • Domain-Only files are formatted with one IoC per line with only the domain. This format only works for DNS Defense policies with domain IoCs.

Enabling ThreatLIST

ThreatList files are generated from one or more of your custom policies. Enabling the feature is done in two steps:

  • Step 1: configure the global settings for the feature.
  • Step 2: configure the policy to be exported.

Step 1 - Global settings

  • Navigate to the SIEM Integration tab in the navigation menu.
  • Using the dropdown, choose between Splunk (default) and Suricata format.

  • If you’ve chosen Suricata, you will need to describe the format of the line. Our default is:
    alert ip [%ioc] any -> any (msg: "[%blocker_desc %blocker_type]"); priority: %priority; sid: %sid;)

There are several variables that will be replaced with information about each indicator of compromise (IoC) when your file is generated:

  • %ioc is the ip address from ThreatSTOP.
  • %blocker_desc is the name of source of the block.
  • %blocker_type is the type of threat.
  • %priority is how dangerous the threat is.
  • %sid is an incrementing sid for suricata.

  • If you’ve chosen Suricata, you will also be able to config the starting sid.

Step 2 - Policy settings

  • Browse to the policy configuration for each policy you want to export using ThreatList.
  • Enable SIEM integration (Enabled checkbox).
  • There are three configurations to set by choosing from the dropdowns.
  • Set the Threatlist IOC Type. This determines what type of IoCs will be included in your SIEM file. Your choices are:
    • IPs only.
    • Domains only.
    • All (both IPs and domains).
  • Set the Threatlist Ioc Format. This determines if the system will generate separate files for each IoC type or a single file. Your choices are:
    • Split IoC Types.
    • All IoC Types in a single file.
  • Save your changes.

Accessing the ThreatList files

The ThreatLIST files are produced every two hours and are made available for you at The files need to be accessed via SFTP. Credentials will be provided by our support team.

The files following this naming convention:

threatlist-<policy_name>-<ioc type>-<timestamp>.csv
threatlist-<policy_name>-<ioc type>-latest.csv


  • Policy name is the name of the Policy being exported.
  • ioc type is ip, domain, or all (for ThreatList setting requesting both IP addresses and domains).
  • YYYYMMDD-hhmm is the timestamp at which the file was produced. The -latest file always points to the latest version.

For example: