* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://www2.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Bootstrap Your Threat Int...

# Bootstrap Your Threat Intel Management Program With Free Feeds and IOC Enrichers

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbootstrap-your-threat-intel-management-program-with-free-feeds-and-ioc-enrichers%2F)  
[](https://twitter.com/share?text=Bootstrap+Your+Threat+Intel+Management+Program+With+Free+Feeds+and+IOC+Enrichers&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbootstrap-your-threat-intel-management-program-with-free-feeds-and-ioc-enrichers%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbootstrap-your-threat-intel-management-program-with-free-feeds-and-ioc-enrichers%2F&title=Bootstrap+Your+Threat+Intel+Management+Program+With+Free+Feeds+and+IOC+Enrichers&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/bootstrap-your-threat-intel-management-program-with-free-feeds-and-ioc-enrichers/&ts=markdown)  
\[\](mailto:?subject=Bootstrap Your Threat Intel Management Program With Free Feeds and IOC Enrichers)  
Link copied  
By [Dror Avrahami](https://www.paloaltonetworks.com/blog/author/dror-avrahami/?ts=markdown "Posts by Dror Avrahami")  
Dec 07, 2023  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[threat intelligence](https://www.paloaltonetworks.com/blog/tag/threat-intelligence/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

Getting your threat intel management (TIM) program up and running might seem like a daunting task. Picking the right feeds and enrichers can be challenging as there are many different options and flavors to choose from, and these subscriptions sometimes come with a hefty price tag.

So, we have made it easier for our Cortex XSOAR customers to find and install integrations that do not require a subscription and in some cases might not even require registration upfront. We have known and used most of these feeds for a long time now and we have found them as a good stepping stone to get any TIM going.

To make it easier for you to discover and take advantage of these free feeds and enrichers, we've added four new tags to our out-of-the-box feed integrations in the Cortex Marketplace:

**1. Plug \& Fetch** - This tag was created for feeds that are free and which do not require any credentials or registration. As using a **Plug \& Fetch** integration does not require any registration or credentials all you need to do is set up an instance for it in Cortex XSOAR TIM and let the pack run. A good example of such a feed is [LOLBAS](https://cortex.marketplace.pan.dev/marketplace/details/FeedLOLBAS/), which does not require any credentials whatsoever.

![LOLBAS Feed](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/lolbas-feed.png)

To find all of the [Plug \& Fetch feeds](https://cortex.marketplace.pan.dev/marketplace/?tag=Plug+%26+Fetch) available for XSOAR you can simply use the\*\*"Plug \& Fetch" tag\*\* in the [Cortex Marketplace](https://cortex.marketplace.pan.dev/marketplace/) search filters:

![Plug \& Fetch feeds in XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/plug-and-fetch-feeds-in-xsoar.png)

**2. Free Feeds** - The Free Feed tag is used for feeds that do not require a subscription but do require the user to register in order to obtain the credentials needed to ingest the feed. A good example for such a feed would be the [National Vulnerability Database (NVD)](https://cortex.marketplace.pan.dev/marketplace/details/NistNVD/).

![NVD Free feed in XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/nvd-free-feed-in-xsoar.png)

As before, you can use the\*\*"\*\* [**Free Feed**](https://cortex.marketplace.pan.dev/marketplace/?tag=Free+Feed)**" tag**.

![Free feeds in XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/free-feeds-in-xsoar.png)

**3. Generic Feeds** - The [Generic Feed integrations](https://cortex.marketplace.pan.dev/marketplace/?tag=Generic+Feed) are used when XSOAR does not have a pre-built integration for a specific feed. As most feeds usually use common data formats such as TAXII, JSON, CSV, etc, the user can use these Generic Feed integrations to fetch the data without building a custom integration from scratch. These can also aid as a skeleton structure for building an integration for a feed using these common frameworks.

![Generic Feeds in XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/generic-feeds-in-xsoar.png)

An easy setup for an [RSS based feed](https://cortex.marketplace.pan.dev/marketplace/details/FeedRSS/):

![RSS Feed config](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/rss-feed-config.png)

**4. Allow lists** (previously known as whitelists) - Unlike other feeds that are meant to provide us with indicators for blocking and keeping our environment safe, these are meant to help us keep it organized and to prevent inadvertent lockouts to applications or services used by the organization. The **"** [**Allow list**](https://cortex.marketplace.pan.dev/marketplace/?tag=Allow+List)**" tag** feeds include assets from well known companies such as AWS, Azure, Cisco, Google, Cloudflare, etc.

![Allow lists feeds in XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/allow-lists-feeds-in-xsoar.png)

These feeds are almost always *Plug \& Fetch* but as they are different in nature, we decided to give them a distinctive tag to enhance searchability.

To make life even easier for our users, we have also created a new XSOAR pack called "[**Free Feeds**](https://cortex.marketplace.pan.dev/marketplace/details/FreeFeeds/)"**.** This new pack has all the data presented above and lists all the available new feeds within XSOAR, and any optional dependencies, in one single location. We will update this pack with every new free feed that is added to XSOAR.

![Free feeds pack](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/free-feeds-pack.png)

![Optional dependencies in free feeds pack](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/optional-dependencies-in-free-feeds-pack.png)

Just like with feeds we have also added two new tags to indicators of compromise (IOC) enrichers within XSOAR:

**5. Plug \& Enrich** - like the **Plug \& Fetch** tag this [new tag](https://cortex.marketplace.pan.dev/marketplace/?tag=Plug+%26+Enrich) lists any integration within XSOAR that allows the user to enrich IOCs without prior registration. These integrations can be set up in little time to provide rich context to your incident investigations at no additional cost.

![Plug \& Enrich enrichers](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/plug-and-enrich-enrichers.png)

A good example of a **Plug \& Enrich** integration is [Team Cymru](https://cortex.marketplace.pan.dev/marketplace/details/TeamCymru/) which provides data about IP addresses:

![Team Cymru integration](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/team-cymru-integration.png)

**6. Free Enricher** - Like "**Free Feed** " this tag is there to inform you that the enricher is free to use (or have a free \\ community tier) but it does *require* the user to register in order to acquire some sort of credentials to access the data. The "[**Free Enricher**](https://cortex.marketplace.pan.dev/marketplace/?tag=Free+Enricher)" tag also includes within it all of the **Plug \& Enrich** integrations.

![Free Enrichers in XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/free-enrichers-in-xsoar.png)

A nice example of such an enricher is [AbuseIPDB](https://cortex.marketplace.pan.dev/marketplace/details/AbuseDB/) which requires an API key in order to install an instance in XSOAR.  
![AbuseIPDB config](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/abuseipdb-config.png)

Just like with our **Free Feeds** we also created a new XSOAR pack called "[**Free Enrichers**](https://cortex.marketplace.pan.dev/marketplace/details/FreeEnrichers/)" which lists all of the free enrichers available in the Marketplace and provides details about the tags used to define them.  
![Free Enrichers pack](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/free-enrichers-pack.png)

![Free enrichers optional dependencies](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/free-enrichers-optional-dependencies.png)

These content packs, as well as hundreds of other packs covering a myriad of incident types and use cases can be discovered in the [Cortex Marketplace](https://cortex.marketplace.pan.dev/marketplace/). In order to run these packs, you will need an instance of Cortex XSOAR.

**To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)**

**We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.**

Read about how you can transform your [Threat Intel Management with XSOAR](https://start.paloaltonetworks.com/xsoar-threat-intel.html).

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://www2.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://www2.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language