You can enrich log threat detection by adding your own private feeds to those provided by

This page provides guidelines to help you prepare your private feeds of IOCs so they can be pulled by For help configuring the sync, see Adding a private feed.

Supported IOC types

Supported IOC types include:

  • IPs
  • md5/sha1/sha256 hash signatures
  • Domains
  • URLs
  • User-Agent headers
  • Custom indicators (Custom indicators can be used to create lists of usernames, email addresses, or any other indicators, according to your own use case.)

General guidelines

  • IOC-specific

    Each feed should be a list of IOCs of a similar type. This is important to meet the validation requirements, as explained below.

  • Max number of entities

    Your feed can contain as many as 10K entities.

  • Format

    A feed of IOCs can have a variety of formats.

    For the default format, every IOC appears on a new line, without delimiters, separators, or additional notes or comments.

    Here’s an example for what a feed of malicious IPs might look like when using the default format:

    If your feed has another format, please contact our Support team and they will be happy to assist.

Validated format by IOC type

IOC type Format
IP valid IP address
DNS valid domain name (string)
URL valid URL
MD5 32 characters
SHA1 40 characters
SHA256 64 characters
USER-AGENT max size 2 KB (string)
CUSTOM max size 64 characters (string)

Allowlist IPs per region

If necessary, allowlist the relevant IPs in your firewalls. These depend on the region where your account is hosted. For accounts hosted in the Azure regions West Europe (Netherlands) or West US 2 (Washington), contact our Customer Success team to discuss your requirements.

us-east-1 IP address has recently changed. Make sure you update your configuration accordingly to ensure uninterrupted access to

Region Allowlisted IP Cloud
us-east-1 AWS
eu-central-1 AWS
ca-central-1 AWS
eu-west-2 AWS
ap-southeast-2 AWS