CIF has the ability to generate Threat Intelligence "feeds" from its database of ingested and normalized threats. Minimum characteristics of a CIF feed are:

1. Filtered by indicator type (ipv4, fqdn, url, ipv6, email)
2. De-duplicated or aggregated by indicator
3. Whitelisting data-sets applied

With those minimum characteristics we would expect that people would apply additional filters, examples of these additional filters would be:

1. confidence (--confidence)
2. type (--tags [botnet|phishing|malware|scanner|...])
3. format (-f csv, -f bind, -f snort)

• indicator type: ipv4, Confidence: 3, Output format: csv

  cif --itype ipv4 --confidence 3 -f csv
  

• indicator type: ipv4, Confidence: 3, Type (tags): scanner, Output format: csv

  cif --itype ipv4 --confidence 3 --tags scanner -f csv
  

• indicator type: url, Confidence: 3, Type (tags): phishing, Output format: json

  cif --itype url --confidence 3 --tags phishing -f json
  

• indicator type: url, Confidence: 2, Type (tags): malware, Period: today, Output format: csv

  cif --itype url --confidence 2 --tags malware -f csv
  

• indicator type: fqdn, Confidence: 4, Type (tags): phishing, Output format: csv

  cif --itype fqdn --confidence 4 --tags phishing -f csv
  

• indicator type: fqdn, Confidence: 3, Type (tags): botnet, Output format: bind

  cif --itype fqdn --confidence 3 --tags botnet -f bind
  

• indicator type: email, Confidence: 1, Type (tags): phishing, Period: last-day, Output format: csv

  cif --itype email --confidence 1 --tags phishing -f csv
  

• indicator type: ipv6, Confidence: 1, Type (tags): scanner, Output format: csv

  cif --itype ipv6 --confidence 1 --tags scanner -f csv