MISP · STIX/TAXII · FortiGate EBL · Palo Alto EDL · Dark Web

Threat Intelligence
for Indian Enterprises

Ogma delivers actionable threat intelligence powered by MISP, curated IOC feeds, dark-web monitoring and adversary profiling — purpose-built for India's threat landscape.

Live feed — currently tracking 1.4M+ active indicators across 40+ sources, updated every 15 minutes.

1.4M+
Live IOCs (auto-refreshing)
40+
Curated Feed Sources
TAXII 2.1
Native SIEM / EDR Integration
MITRE ATT&CK
Mapped Adversary Profiles

What's in the Feed Right Now

Every number below is pulled live from our production MISP cluster. This is not a marketing estimate — it is the current state of the active IOC database, refreshed every 10 minutes.

Malicious IPs
Bad Domains
Malicious URLs
SHA-256 Hashes
Known CVEs
MD5 Hashes

Fetching live counts…

Threat Intelligence Services

End-to-end TI capabilities — from raw IOC ingestion to boardroom-ready strategic reports.

IOC Feed Management

Curated feeds of malware hashes, C2 domains, phishing URLs and IP blocklists. STIX 2.1 formatted, delivered via TAXII 2.1 for automated ingestion into your SIEM and EDR.

Dark Web Monitoring

Continuous monitoring of dark-web forums, paste sites and Telegram channels for leaked credentials, data exposure, brand mentions and planned attacks against your organisation.

Adversary Profiling

MITRE ATT&CK-mapped profiles of threat actors targeting your sector. Understand their TTPs, tooling, infrastructure and historical campaigns to anticipate their next move.

Threat Hunting

Hypothesis-driven hunts using IOCs and behavioural indicators to find adversaries already inside your network. We search what automated tools miss — living-off-the-land, lateral movement and dormant implants.

MISP Platform Management

We deploy, configure and manage your MISP instance — feed curation, event correlation, sharing groups, taxonomies and integration with your existing security stack.

Strategic Intelligence Reports

Monthly and quarterly reports for CISOs and boards covering threat-landscape shifts, sector-specific risks, geopolitical cyber trends affecting India, and recommended defensive actions.

Drop-In Integration with Your Stack

Four ways to consume the Ogma TI feed. All require only a bearer token you generate in the customer portal. No cron jobs, no manual imports.

Fortinet FortiGate — External Block List (EBL)

FortiGate pulls the feed automatically every 60 minutes. Use the connector as a source address in any firewall policy.

https://portal.ogma.in/apps/ti/api/feed/ip.txt?token=YOUR_TOKEN
https://portal.ogma.in/apps/ti/api/feed/domain.txt?token=YOUR_TOKEN

FortiGate UI → Security Fabric → External Connectors → New → IP Address Threat Feed (or Domain Threat Feed).

Palo Alto Networks — External Dynamic List (EDL)

PAN-OS fetches the list on the interval you configure. Reference it directly in any security policy.

https://portal.ogma.in/apps/ti/api/feed/ip.txt?token=YOUR_TOKEN
https://portal.ogma.in/apps/ti/api/feed/domain.txt?token=YOUR_TOKEN

PAN-OS → Objects → External Dynamic Lists → Add → IP List / Domain List.

SIEM Integration

Native connectors for every major SIEM. IOCs enrich alerts automatically — no custom parsing, no stale lookup tables.

  • Splunk — TA add-on (TAXII 2.1 collector)
  • Elastic / OpenSearch — ingest pipeline JSON
  • FortiSIEM — native STIX collector
  • Microsoft Sentinel — Threat Intelligence Platform connector
SOAR & REST API

Token-authenticated JSON endpoints for SOAR playbooks (FortiSOAR, Splunk SOAR, XSOAR) and custom automation.

GET /apps/ti/api/lookup?value=1.2.3.4
POST /apps/ti/api/bulk (array of IOCs)

Bearer auth. Rate-limited per token. Dev docs in-portal.

🔑 Existing customers → log in to mint an API token

How Our TI Platform Works

Threat intelligence is only useful when it reaches your defences in real time.

1. Collect & Curate

MISP aggregates IOCs from 40+ sources — OpenPhish, CISA KEV, Emerging Threats, Spamhaus DROP/EDROP, SANS DShield, Abuse.ch, Tor exit nodes, commercial feeds, dark-web monitoring and Ogma in-house research. Analysts deduplicate, enrich and score every indicator.

2. Distribute via TAXII 2.1 / Feed URLs

STIX 2.1 objects publish to TAXII endpoints; plain-text feeds serve FortiGate EBL and Palo Alto EDL. Your SIEM (Splunk, Elastic, FortiSIEM, Sentinel), SOAR and EDR (CrowdStrike, FortiEDR) auto-pull feeds.

3. Detect & Block

IOCs become detection rules and blocklists across your stack. Known-bad IPs hit firewall deny lists. Malware hashes trigger EDR alerts. Phishing domains are blocked at the DNS layer. CVEs under active exploitation move up your patch queue.

Why Ogma for Threat Intelligence

We don't just sell feeds. We operate the platform, curate the intelligence and integrate it into your defences.

MISP Expertise

Production MISP deployments with feed curation, galaxy clusters, warninglists and automated correlation engines.

1.4M+ Live IOC Library

Continuously enriched indicator database covering malware, C2, phishing, active CVEs and India-specific threat infrastructure.

STIX / TAXII Native

All intelligence published in STIX 2.1 with TAXII 2.1 endpoints. Standards-based, vendor-agnostic, automation-ready.

India-Focused Landscape

Threat actors targeting BFSI, government, healthcare and critical infrastructure in India. Regional context your global vendor can't provide.

SOC Integration

TI feeds plug directly into your SOC workflow — enriching alerts, automating triage and reducing analyst investigation time.

Compliance Reporting

TI reports mapped to CERT-In, RBI, SEBI CSCRF and ISO 27001:2022 requirements. Evidence packages for audits and regulatory submissions.

Frequently Asked Questions

Threat intelligence is the collection, analysis and operationalisation of data about cyber threats. Indian enterprises face targeted attacks from state-sponsored actors, hacktivist groups and financially motivated attackers going after BFSI, government, healthcare, manufacturing and critical infrastructure. TI shifts you from reactive to proactive: block known-bad IPs and domains at the firewall before they reach users, enrich every SIEM alert with adversary context, and prioritise patching by active exploitation.

The feed is live; the exact number is on this page and updates every 10 minutes. At the time of writing the IOC library crosses 1.4 million active indicators — malicious IPs, bad domains, phishing URLs, SHA-256 / MD5 malware hashes, known CVEs under active exploitation, and compromised email addresses. It is built from 40+ curated sources: MISP community feeds, OpenPhish, CISA KEV, Emerging Threats, Spamhaus DROP/EDROP, Abuse.ch, Tor exit nodes, and Ogma in-house research on threats targeting Indian enterprises.

Five drop-in formats: (1) FortiGate External Block List — plain-text IP / domain feed your FortiGate auto-refreshes every 60 minutes; (2) Palo Alto External Dynamic List — identical pattern for PAN-OS; (3) SIEM Integration — Splunk TA, Elastic pipelines, FortiSIEM REST, Microsoft Sentinel; (4) SOAR & REST API — tokenised JSON endpoints for custom playbooks; (5) Download Feeds — CSV / JSON snapshots for offline analysis. All endpoints use bearer-token auth (tokens managed by the customer in the portal).

Customers get an instant HTTPS URL like https://portal.ogma.in/apps/ti/api/feed/ip.txt?token=... — paste it into FortiGate → Security Fabric → External Connectors (or PAN-OS → Objects → External Dynamic Lists), set refresh interval to 60 minutes, create a firewall policy referencing the connector as the source address, done. No cron jobs, no manual imports. The feed auto-refreshes; the firewall auto-pulls.

Ogma analysts run continuous monitoring of dark-web forums, paste sites, Telegram channels and underground marketplaces for mentions of your brand, domains, employee credentials, leaked datasets and planned attacks. You receive real-time alerts with the original source, confidence score, and recommended response steps.

Yes. Native integrations with Splunk, Elastic, FortiSIEM, Microsoft Sentinel on the SIEM side, and CrowdStrike Falcon, FortiEDR and SentinelOne on the EDR side. Delivery is via TAXII 2.1 (STIX 2.1 objects), REST JSON, syslog or direct feed URLs depending on what your stack prefers.

Subscription pricing based on feed scope and seat count. Firewall blocklist feeds start as a flat monthly fee; full-service TI with dark-web monitoring, adversary profiling and strategic reports is priced on organisation size and sector. Contact us for a quote — scoping call is free.

Turn Threat Data into Defensive Action

Talk to Ogma's threat intelligence team. We'll assess your current TI maturity and build a program that fits your stack, sector and budget.