Skip to main content
Version: 3.17 (latest)

Global threat feed

A global threat feed resource (GlobalThreatFeed) represents a feed of threat intelligence used for security purposes.

Calico Enterprise supports threat feeds that give either

  • a set of IP addresses or IP prefixes, with content type IPSet, or
  • a set of domain names, with content type DomainNameSet

For each IPSet threat feed, Calico Enterprise automatically monitors flow logs for members of the set. IPSet threat feeds can also be configured to be synchronized to a global network set, allowing you to use them as a dynamically-updating deny-list by incorporating the global network set into network policy.

For each DomainNameSet threat feed, Calico Enterprise automatically monitors DNS logs for queries (QNAME) or answers (RR NAME or RDATA) that contain members of the set.

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI:, and abbreviations such as globalthreatfeed.p and globalthreatfeeds.p.

Sample YAML

kind: GlobalThreatFeed
name: sample-global-threat-feed
content: IPSet
mode: Enabled
description: "This is the sample global threat feed"
feedType: Custom
# labels to set on the GNS
level: high
# accepts time in golang duration format
period: 24h
newlineDelimited: {}
url: https://an.example.threat.feed/deny-list
- name: "Accept"
value: "text/plain"
- name: "APIKey"
# secrets selected must be in the "tigera-intrusion-detection" namespace in order to be used
name: "globalthreatfeed-sample-global-threat-feed-example"
key: "apikey"

Push or Pull

You can configure Calico Enterprise to pull updates from your threat feed using a pull stanza in the global threat feed spec.

Alternately, you can have your threat feed push updates directly. Leave out the pull stanza, and configure your threat feed to create or update the Elasticsearch document that corresponds to the global threat feed object.

For IPSet threat feeds, this Elasticsearch document will be in the index .tigera.ipset.<cluster_name> and must have the ID set to the name of the global threat feed object. The doc should have a single field called ips, containing a list of IP prefixes.

For example:

PUT .tigera.ipset.cluster01/_doc/sample-global-threat-feed
"ips" : ["", ""]

For DomainNameSet threat feeds, this Elasticsearch document will be in the index .tigera.domainnameset.<cluster_name> and must have the ID set to the name of the global threat feed object. The doc should have a single field called domains, containing a list of domain names.

For example:

PUT .tigera.domainnameset.cluster01/_doc/example-global-threat-feed
"domains" : ["malware.badstuff", ""]

Refer to the Elasticsearch document APIs for more information on how to create and update documents in Elasticsearch.

GlobalThreatFeed Definition


FieldDescriptionAccepted ValuesSchema
nameThe name of this threat feed.Lower-case alphanumeric with optional -string
labelsA set of labels to apply to this threat


FieldDescriptionAccepted ValuesSchemaDefault
contentWhat kind of threat intelligence is providedIPSet, DomainNameSetstringIPSet
modeDetermines if the threat feed is Enabled or DisabledEnabled, DisabledstringEnabled
descriptionHuman-readable description of the templateMaximum 256 charactersstring
feedTypeDistinguishes Builtin threat feeds from Custom feedsBuiltin, CustomstringCustom
globalNetworkSetInclude to sync with a global network setGlobalNetworkSetSync
pullConfigure periodic pull of threat feed updatesPull


The status is read-only for users and updated by the intrusion-detection-controller component as it processes global threat feeds.

lastSuccessfulSyncTimestamp of the last successful update to the threat intelligence from the feed
lastSuccessfulSearchTimestamp of the last successful search of logs for threats
errorConditionsList of errors preventing operation of the updates or search


When you include a globalNetworkSet stanza in a global threat feed, it triggers synchronization with a global network set. This global network set will have the name threatfeed.<threat feed name> where <threat feed name> is the name of the global threat feed it is synced with. This is only supported for threat feeds of type IPSet.


A globalNetworkSet stanza only works for IPSet threat feeds, and you must also include a pull stanza.

FieldDescriptionAccepted ValuesSchema
labelsA set of labels to apply to the synced global network setmap


When you include a pull stanza in a global threat feed, it triggers a periodic pull of new data. On successful pull and update to the data store, we update the status.lastSuccessfulSync timestamp.

If you do not include a pull stanza, you must configure your system to push updates.

FieldDescriptionAccepted ValuesSchemaDefault
periodHow often to pull an update 5mDuration string24h
httpPull the update from an HTTP endpointHTTPPull


Pull updates from the threat feed by doing an HTTP GET against the given URL.

FieldDescriptionAccepted ValuesSchema
formatFormat of the data the threat feed returnsFormat
urlThe URL to querystring
headersList of additional HTTP Headers to include on the requestHTTPHeader

IPSet threat feeds must contain IP addresses or IP prefixes. For example:

 This is an IP Prefix
This is an address

DomainNameSet threat feeds must contain domain names. For example:

 Suspicious domains

Internationalized domain names (IDNA) may be encoded either as Unicode in UTF-8 format, or as ASCII-Compatible Encoding (ACE) according to RFC 5890.


Several different feed formats are supported. The default, newlineDelimited, expects a text file containing entries separated by newline characters. It may also include comments prefixed by #. json uses a jsonpath to extract the desired information from a JSON document. csv extracts one column from CSV-formatted data.

newlineDelimitedNewline-delimited text fileEmpty object
jsonJSON objectJSON
csvCSV fileCSV


pathjsonpath to extract values.string

Values can be extracted from the document using any jsonpath expression, subject to the limitations mentioned below, that evaluates to a list of strings. For example: $. is valid for ["a", "b", "c"], and $.a is valid for {"a": ["b", "c"]}.


No support for subexpressions and filters. Strings in brackets must use double quotes. It cannot operate on JSON decoded struct fields.


fieldNumNumber of column containing values. Mutually exclusive with
fieldNameName of column containing values, requires header: true.string
headerWhether or not the document contains a header row.bool
columnDelimiterAn alternative delimiter character, such as |.string
commentDelimiterLines beginning with this character are skipped. # is common.string
recordSizeThe number of columns expected in the document. Auto detected if
disableRecordSizeValidationDisable row size checking. Mutually exclusive with recordSize.bool


nameHeader namestring
valueLiteral valuestring
valueFromInclude to retrieve the value from a config map or secretHTTPHeaderSource

You must include either value or valueFrom, but not both.


configMapKeyRefGet the value from a config mapKeyRef
secretKeyRefGet the value from a secretKeyRef


KeyRef tells Calico Enterprise where to get the value for a header. The referenced Kubernetes object (either a config map or a secret) must be in the tigera-intrusion-detection namespace. The referenced Kubernetes object should have a name with following prefix format: globalthreatfeed-<GlobalThreatFeed.Name>-.

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of the config map or secretstring
keyThe key within the config map or secretstring
optionalWhether the pull can proceed without the referenced valueIf the referenced value does not exist, true means omit the header. false means abort the entire pull until it existsboolfalse