The MalBeacon CDF integration enables organizations to leverage deception-based threat intelligence to enhance their security posture. By ingesting IPs, hostnames, emails, and hashes associated with malicious activity, the feed provides actionable insights into real-world attacker behavior. MalBeacon uses decoy systems to lure and observe attackers, allowing security teams to analyze their tactics, techniques, and procedures (TTPs) and proactively strengthen defenses.

The integration provides the following feeds:

• MalBeacon Actor Beacons - ingests IPs and hostnames associated with threat actors and their command-and-control (C2) beacons.
• MalBeacon Malware C2 - ingests IPs and hostnames gathered from IPv4 scans identifying malware C2 infrastructure.
• MalBeacon Email Beacons - ingests emails, IPs, and hostnames from attacker-controlled email accounts.
• MalBeacon Document Beacons - ingests IPs and hostnames extracted from malware sandbox–based document beacons.

The integration ingests the following object types:

• Indicators
• Indicator Attributes
• Malware