Real-Time Threat Intelligence for Firewall Teams: 4 Feeds, One Workflow
Your SOC team subscribes to threat intelligence feeds. Your firewall team manages rules. But who checks whether your firewall rules reference known-bad IPs? In most organizations, nobody does — at least not systematically. The gap between threat intelligence and firewall management is one of the most common and most dangerous blind spots in enterprise security operations.
This guide explains how to bridge that gap by cross-referencing firewall rules against threat intelligence feeds, what feeds to use, how the matching works, and what to do when you find a hit.
The Gap Between Threat Intelligence and Firewall Management
Threat intelligence platforms produce indicators of compromise (IOCs): IP addresses associated with botnets, command-and-control servers, phishing campaigns, and malware distribution. These feeds update continuously as new threats are discovered.
Meanwhile, firewall rules reference IP addresses, networks, and services. Some of these rules were created months or years ago. The IP address that was legitimate when the rule was created may have since appeared on a threat feed — compromised, reassigned to a malicious actor, or identified as part of a botnet infrastructure.
The problem is that these two worlds rarely talk to each other. SOC teams consume threat intelligence for detection and hunting. Firewall teams manage rules for access control. The cross-reference between “IPs we allow traffic to” and “IPs that are known-bad” happens manually, if it happens at all.
4 Threat Intelligence Feeds Explained
FwChange integrates with 4 threat intelligence feeds, each covering a different threat category. Together, they provide broad coverage of the most common network-based threats.
AbuseIPDB
A community-driven IP reputation database. Users report malicious IPs (brute force, spam, port scanning, DDoS), and AbuseIPDB aggregates reports into a confidence score. FwChange queries the AbuseIPDB API to check whether any IP referenced in your firewall rules has been reported for malicious activity.
Best for: Detecting rules that allow traffic to or from IPs with poor reputation scores. Covers a wide range of abuse types.
Emerging Threats (Proofpoint ET)
Proofpoint’s Emerging Threats project maintains curated blocklists of compromised IP addresses. The ET compromised IP list is updated daily and includes IPs observed participating in active attacks, hosting malware, or acting as command-and-control servers.
Best for: Identifying rules that reference actively compromised infrastructure. High-confidence, low false-positive rate.
Feodo Tracker (Abuse.ch)
Feodo Tracker is operated by Abuse.ch and tracks botnet command-and-control (C2) servers. It focuses specifically on banking trojans and malware families like Dridex, Emotet, TrickBot, and QakBot. The feed provides IP addresses of known C2 servers that infected machines communicate with.
Best for: Detecting rules that allow outbound traffic to botnet C2 infrastructure. Critical for organizations handling financial data.
AlienVault OTX
AlienVault Open Threat Exchange is a community threat intelligence platform where security researchers share “pulses” containing indicators of compromise. OTX aggregates IP indicators from thousands of contributors worldwide, covering a broad range of threat types from APT campaigns to commodity malware.
Best for: Broad coverage of community-reported threats. Higher volume than other feeds, useful as a supplementary source.
How Cross-Referencing Works
The cross-referencing process is straightforward. FwChange syncs threat intelligence feeds on a scheduled cron job. Each sync pulls the latest indicators and stores them locally. Then, for each firewall rule in your fleet, FwChange checks whether any source or destination IP (or IP within a CIDR range) appears in any of the 4 feeds.
The Cross-Reference Pipeline
- 1. Feed Sync: Scheduled cron job pulls latest indicators from all 4 feeds and stores them in the database.
- 2. Rule Extraction: For each firewall, extract all IP addresses referenced in allow rules (source and destination).
- 3. IOC Matching: Compare extracted IPs against the threat indicator database. Match individual IPs and IPs within CIDR ranges.
- 4. Sighting Creation: When a match is found, create a sighting record linking the firewall rule to the threat indicator with feed source, confidence score, and timestamp.
- 5. Alerting: Notify the security team via configured channels (email, Slack, Teams) with details about the match and recommended actions.
What to Do When You Find a Match
A threat intelligence match does not automatically mean you have a compromise. It means a firewall rule references an IP that has been flagged by one or more threat feeds. The appropriate response depends on the context:
- High confidence match (AbuseIPDB score >80 or Feodo C2): Investigate immediately. Check firewall logs for actual traffic to/from the flagged IP. If traffic exists, escalate as a potential incident. Consider blocking the IP pending investigation.
- Medium confidence match (ET compromised list): Review the rule and its business justification. Check whether the IP is still in active use. If the rule is no longer needed, remove it. If still needed, evaluate whether the destination has been compromised.
- Low confidence match (OTX community pulse): Note the finding and review during the next rule audit cycle. OTX has higher false-positive rates due to community sourcing. Use as a supplementary signal, not a primary trigger for action.
Integration into Change Management
Threat intelligence becomes most valuable when it is woven into your firewall change management process. When someone submits a new rule that references an IP flagged by a threat feed, the system should catch it before the rule goes live — not after.
This pre-deployment check adds seconds to the change request process and can prevent days of incident response. It is the same principle as rule optimization — catch problems before they reach production, not after.
Compliance Benefits
Threat intelligence integration directly supports several compliance requirements. PCI-DSS 4.0 requires organizations to identify and respond to threats in a timely manner. ISO 27001 Annex A.12 covers operational security including threat management. NIS2 mandates that essential entities implement risk-based security measures including threat detection capabilities.
Having documented evidence that you cross-reference firewall rules against threat feeds — and that you investigate and remediate matches — demonstrates proactive security management. This is exactly the kind of evidence that turns an audit finding into an audit strength.
The gap between threat intelligence and firewall management exists in most organizations because the tools have been separate and the workflows disconnected. Automated cross-referencing closes that gap without adding manual work to either team. Your threat feeds update automatically, your firewall rules are scanned continuously, and matches surface as alerts that someone can act on. That is how threat intelligence moves from a dashboard nobody checks to a workflow that prevents real incidents. For more on how AI-powered threat detection fits into the broader security picture, see our CISO guide.
See How Your Firewall Rules Score
Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.
Stay Updated
Get firewall management tips, compliance guides, and product updates.
No spam. Unsubscribe anytime.