How to Configure the IoT Feed
Learn how to use DigitalStakeout’s IoT Feed to detect exposed devices and services by keyword across public-facing IP infrastructure.
How to Configure the IoT Feed
The IoT Feed in DigitalStakeout XTI allows you to monitor and detect publicly exposed services and devices operating on direct IP addresses. It's especially useful for identifying vulnerabilities in internet-facing infrastructure, misconfigured devices, or shadow IT.
Use Cases
- 🛡️ Attack Surface Monitoring — Detect exposed services or unmonitored IPs
- 🧪 Vulnerability Research — Monitor for open ports or IoT protocols by keyword
- 🚨 Threat Detection — Discover devices being exploited or beaconing to threat actors
- 🧭 Risk Intelligence — Track exposure trends across industries, vendors, or locations
Setting Up an IoT Feed
1. Basic Setup
| Field | Description |
|---|---|
| Status | Enable or disable the feed |
| Expires On | Optional expiration date for auto-deactivation |
| Monitor Name | Descriptive name for reference |
| Use Case | Choose the scenario (e.g., Vulnerability Assessment, DRP) |
| Tags | Add relevant tags for organization |
| Send Data To | Choose output destination (project folder or external system) |
| Translate on Add | Auto-translate captured content if applicable |
2. Keyword Configuration
| Setting | Purpose |
|---|---|
| Primary Keywords | Core search terms tied to exposed devices or services |
| Must Contain | Required additional context for event inclusion |
| Must Not Contain | Blocklist terms to reduce noise |
Examples:
- Primary:
open camera,mqtt,public printer - Must Contain:
port 554,firmware - Must Not Contain:
nasa.gov(to exclude trusted or irrelevant sources)
Monitoring Workflow
Once configured, your IoT Feed will continuously scan exposed IP-facing services for matches.
Each event will include:
- Device/service reference
- Source IP and port (if available)
- Matched keywords and metadata
- Timestamp and contextual analysis
All results are accessible and filterable in the XTI console.
Best Practices
- 🎯 Be specific — Target keywords by protocol, port, vendor, or function
- 🧠 Refine regularly — Update keyword filters as IoT threats evolve
- 🔄 Use tags — Group monitors by vendor, location, or asset type
- 🔗 Cross-reference feeds — Use in conjunction with Domain Feed or CVE Feed
- 📥 Ingest external alerts — Forward IP indicators to Email Collector for correlation
Updated about 23 hours ago