Why feeds are always of questionable value. The famous 'pyramid of pain'

http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

I think use cases built to alert on feeds can be pretty hit and miss but this is very useful

https://iplists.firehol.org/

TLS Certificates used by Malware

https://sslbl.abuse.ch/ssl-certificates/

TOR Exit IP's

https://check.torproject.org/torbulkexitlist

Curated lists

https://github.com/drb-ra/C2IntelFeeds

The excellent Greynoise. Is the thing scanning / trying to exploit you specific to you or scanning everyone? Makes those external firewall logs that audit make you keep interesting and useful....

https://www.greynoise.io/