Skip to content
IntelliAuth

Manage threat feeds

Threat intelligence → Feeds. One row per configured feed. Each row has:

  • Name — FireHOL Level 1, Tor Exit Nodes, AbuseIPDB, or your custom feeds.
  • State — enabled / disabled.
  • Score weight — how many points an IP hit adds to the sign-in's risk score.
  • Update cadence — how often the platform polls / refreshes the feed.
  • Last successful fetch — timestamp.
  • Entries — number of IPs / CIDR ranges currently in the feed.

Enable / disable

Section titled “Enable / disable”

Toggle in each row. Disabled feeds aren't consulted; no impact on risk scoring.

When you disable a feed, the platform also stops fetching it (no wasted polling). Re-enabling resumes fetching.

Adjust score weight

Section titled “Adjust score weight”

Click into a feed → Score weight. Default values are conservative; adjust if your tenant's policies need different sensitivity.

A few guidelines:

  • Higher if your industry is high-stakes — banking, healthcare, government. A FireHOL hit at +50 or +60 makes that single signal almost certainly drive a block.
  • Lower if you have a high-friction user base — restrict +10 max per feed, let the cumulative across multiple feeds produce a meaningful score.

The change applies to NEXT sign-in attempts. In-flight sessions / tokens are unaffected.

Adjust update cadence

Section titled “Adjust update cadence”

Per-feed. Sensible defaults shipped; tighten if you need faster propagation:

  • 5 minutes — for volatile lists (Tor exit nodes change frequently).
  • 1 hour — for stable lists (FireHOL Level 1 is relatively stable).
  • Daily — for slow-moving curated lists.

Faster polling is cheap; the platform handles it. Going below 5 minutes is rarely useful — most feeds don't change that quickly.

What happens on a feed-fetch failure

Section titled “What happens on a feed-fetch failure”

The platform retries the feed fetch on every cadence interval. If three consecutive fetches fail:

  • The feed status badge flips to error.
  • security.threat_feed_fetch_failed lands in audit.
  • The platform continues to use the LAST successfully-fetched feed contents (stale, but better than nothing).
  • Risk scoring keeps using the stale data until the feed recovers.

If you see a feed in error state, click in for the specific failure (404, 500, timeout, SSL error). Custom URL feeds you control — fix the URL. Platform-curated feeds in error — usually transient; we monitor + fix on the platform side.

See current feed contents

Section titled “See current feed contents”

Click a feed → Browse entries. Shows the current list of IPs / CIDR ranges. Searchable.

Useful for "is THIS IP on the feed?" without going through the test-IP tool.

Audit

Section titled “Audit”

Every feed-management action records audit:

  • security.threat_feed_added / _removed.
  • security.threat_feed_enabled / _disabled.
  • security.threat_feed_score_changed — with before / after weight.
  • security.threat_feed_fetch_failed — when fetches fail consecutively.

For "who turned off Tor at 4am?" investigations, audit is the source.

Per-application overrides

Section titled “Per-application overrides”

Threat feeds are tenant-wide by default. For per-application sensitivity, an application's settings page → Authentication policy can override the tenant feeds (e.g., "this application uses only FireHOL; the others are noise").

Most tenants leave the global setting; per-app overrides are for unusual cases.