Rapid7’s internal use of Community Threats was superceded with the introduction of the ABA detection Engine, which allowed for feeds to be directly incorporated from multiple sources across multiple regions and, more importantly, curated and vetted by our internal detection experts. So, your supposition is correct - many of the IOCs that are in community threats are already being ingested and automatically applied to all customers via ABA, and the ones that are not are likely to have been excised due to being false positives or excessively noisy. Additionally, just in the last month we have added hundreds of new ABA rules powered by the IntSights/Threat Command threat library and will continue to do so going forward.
To pre-empt a follow on question - whilst we don’t currently display the full lists of IOCs (domains, hashes and so on) that are being used in the ABA rules this is very high up on our roadmap both to improve transparency and to potentially reduce the duplication of effort that might be occurring with customers use of the Community Threat feature.
So, for example, referring to C2 - this rule
Network Flow - Destination Address in Cobalt Strike C2 List
has the logic
from( entry_type = "flow" ) where( direction = "OUTBOUND" AND NOT ( destination_port IN ["137", "139", "135", "445", "0"] ) AND SUBQUERY("Cobalt Strike C2 List") AND SUBQUERY("Cobalt Strike C2 Ports List") )
which refers to 2 internal feeds (the subqueries) which are automatically imported from a variety of sources, tested and verified against troves of data to identify false positives and then automatically pushed out to all customers. What we are intending to do is to allow customers to drill into those Subqueries to see the underlying datasets and, potentially, re-use them in their own Custom Detection Rules.
To your second question, unfortunately exceptions are not available with Community Threats and are not planned to be implemented in its current form. However, when the above comes to fruition you would be able to craft an exception that specifically excluded the legitimate domains from the alert.
Whilst I am by no means an expert and every customer has different needs and complexities, I know that our internal MDR SOC teams have their threat intel feed needs satisfied via the built in ABA alerts and no longer use Community Threats at all. However, I also understand that, as customers do not have the visibility into the content used, the reassurance provided by Community Threats is a value all to itself.
This turned into a bit of an epic so I will stop, but please feel free to ask more questions if you have any