Splunk Search

What are the open threat lists Optiv Threat Intel gets its feeds from?

Makinde
New Member

Hi Derek,

I am just curious to know the various feeds Optiv Threat Intel makes use of?

I would like to know so I am not duplicating threat intelligence in my network.

Thanks

0 Karma
1 Solution

derekarnold
Communicator

Hi Makinde,
Here's the current list. If there is overlap with other data sources, I can tell you the app is pretty lightweight on license utilization, disk, and CPU cores.

SpamHaus, Dshield, Frodo
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Emerging Threats Compromised IPs
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Binary Defense.
URL: http://www.binarydefense.com/banlist.txt
malc0de_IPs.
URL: http://malc0de.com/bl/IP_Blacklist.txt
AlienVault.
URL: https://reputation.alienvault.com/reputation.generic
TorExitNodes
URL: https://check.torproject.org/exit-addresses
Zeus
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Open Blocklist base 1 day
URL: http://www.openbl.org/lists/base_1days.txt
MalwareBytes Domains
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Malware Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
ISC SANS Suspicious Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Open Phish URLs.
URL: https://openphish.com/feed.txt
Phish Tank URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Bambenek IPs
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Talos Intel IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf

View solution in original post

derekarnold
Communicator

Hi Makinde,
Here's the current list. If there is overlap with other data sources, I can tell you the app is pretty lightweight on license utilization, disk, and CPU cores.

SpamHaus, Dshield, Frodo
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Emerging Threats Compromised IPs
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Binary Defense.
URL: http://www.binarydefense.com/banlist.txt
malc0de_IPs.
URL: http://malc0de.com/bl/IP_Blacklist.txt
AlienVault.
URL: https://reputation.alienvault.com/reputation.generic
TorExitNodes
URL: https://check.torproject.org/exit-addresses
Zeus
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Open Blocklist base 1 day
URL: http://www.openbl.org/lists/base_1days.txt
MalwareBytes Domains
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Malware Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
ISC SANS Suspicious Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Open Phish URLs.
URL: https://openphish.com/feed.txt
Phish Tank URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Bambenek IPs
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Talos Intel IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf

System12
New Member

Hi Derek,

Are you able to add your own STIX/TAXII feed to it, in addition to the ones you listed?

0 Karma

derekarnold
Communicator

System12, given an accessible URL, it's just a matter of adding a function for a new threat feed in the code. Do you have something particular in mind you can share?

0 Karma

jwalzerpitt
Influencer

Derek,

One last question - is there any way you could modify the app to correlate against src_ip as well?

Thx

0 Karma

jwalzerpitt
Influencer

Derek,

Just installed the app and CIM add on to create the relevant aliases and it's great. Thx for taking the time to build this.

Any chance you could look to add the FireHOL IP lists (http://iplists.firehol.org/)?

Thx,
Jeff

0 Karma

Makinde
New Member

Thanks Derek

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...