Re: Security Intelligence feed/list change alerts

Chuck M · ‎06-24-2025

All,

I've been tasked with obtaining an alert whenever a security intelligence feed or list is added/removed/modified within Security Intelligence but only have been able to find a means to alert on events discovered from SI.

Might anyone know of a way to accomplish the above?

Many Thanks!

nspasov · ‎06-27-2025

I have not tried this but myself but have you looked at the alerts function: In FMC > Settings > Add Health Alert > Pick "Threat Data Update" from the list > Security Intelligence.

Thank you for rating helpful posts!

Thank you for rating helpful posts!

steven456bahr · ‎06-29-2025

@Chuck M mymilestonecardwrote:
All,
I've been tasked with obtaining an alert whenever a security intelligence feed or list is added/removed/modified within Security Intelligence but only have been able to find a means to alert on events discovered from SI.
Might anyone know of a way to accomplish the above?
Many Thanks!

To alert on additions, removals, or modifications to your Security Intelligence (SI) feeds or lists, you must **monitor the internal audit or configuration change logs** of your SIEM or security platform. This involves identifying which internal log sources record administrative actions related to SI, searching for keywords like "feed," "list," "add," "modified," and then configuring your platform's native alerting mechanisms (e.g., correlation rules) to notify you of such changes. The exact steps will depend on your specific SIEM solution.

Marvin Rhoads · ‎07-01-2025

The SI feeds are updated constantly by Talos. By default, FMC pulls down the latest content every 2 hours.