Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the open threat lists Optiv Threat Intel gets its feeds from?

Makinde
New Member
‎02-11-2016 08:50 AM

Hi Derek,

I am just curious to know the various feeds Optiv Threat Intel makes use of?

I would like to know so I am not duplicating threat intelligence in my network.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

derekarnold
Communicator
‎02-11-2016 01:37 PM

Hi Makinde,
Here's the current list. If there is overlap with other data sources, I can tell you the app is pretty lightweight on license utilization, disk, and CPU cores.

SpamHaus, Dshield, Frodo
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Emerging Threats Compromised IPs
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Binary Defense.
URL: http://www.binarydefense.com/banlist.txt
malc0de_IPs.
URL: http://malc0de.com/bl/IP_Blacklist.txt
AlienVault.
URL: https://reputation.alienvault.com/reputation.generic
TorExitNodes
URL: https://check.torproject.org/exit-addresses
Zeus
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Open Blocklist base 1 day
URL: http://www.openbl.org/lists/base_1days.txt
MalwareBytes Domains
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Malware Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
ISC SANS Suspicious Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Open Phish URLs.
URL: https://openphish.com/feed.txt
Phish Tank URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Bambenek IPs
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Talos Intel IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf

View solution in original post

Reply
Solved! Jump to solution
Solution

derekarnold
Communicator
‎02-11-2016 01:37 PM

Hi Makinde,
Here's the current list. If there is overlap with other data sources, I can tell you the app is pretty lightweight on license utilization, disk, and CPU cores.

SpamHaus, Dshield, Frodo
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Emerging Threats Compromised IPs
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Binary Defense.
URL: http://www.binarydefense.com/banlist.txt
malc0de_IPs.
URL: http://malc0de.com/bl/IP_Blacklist.txt
AlienVault.
URL: https://reputation.alienvault.com/reputation.generic
TorExitNodes
URL: https://check.torproject.org/exit-addresses
Zeus
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Open Blocklist base 1 day
URL: http://www.openbl.org/lists/base_1days.txt
MalwareBytes Domains
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Malware Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
ISC SANS Suspicious Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Open Phish URLs.
URL: https://openphish.com/feed.txt
Phish Tank URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Bambenek IPs
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Talos Intel IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf

Reply
Solved! Jump to solution

System12
New Member
‎04-12-2017 01:48 PM

Hi Derek,

Are you able to add your own STIX/TAXII feed to it, in addition to the ones you listed?

0 Karma
Reply
Solved! Jump to solution

derekarnold
Communicator
‎04-14-2017 04:22 PM

System12, given an accessible URL, it's just a matter of adding a function for a new threat feed in the code. Do you have something particular in mind you can share?

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎06-23-2017 06:03 AM

Derek,

One last question - is there any way you could modify the app to correlate against src_ip as well?

Thx

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎06-23-2017 05:52 AM

Derek,

Just installed the app and CIM add on to create the relevant aliases and it's great. Thx for taking the time to build this.

Any chance you could look to add the FireHOL IP lists (http://iplists.firehol.org/)?

Thx,
Jeff

0 Karma
Reply
Solved! Jump to solution

Makinde
New Member
‎02-11-2016 04:24 PM

Thanks Derek

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...