This data is available for free, and commercial use is allowed. The following sample list uses the OTXTM CSV format. This will place a vote for "bad.com" being malicious: Amazon GuardDuty monitors the security of your AWS environment by analyzing and processing. Once you sign, navigate to Settings page, and locate the OTX Key. If you don’t have an account, you can sign up from the home page. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source. Step 1 Obtain AlienVault OTX API key To obtain the API, you will need to login to the AlienVault OTX web site ( ).
This will place a vote for "" being non-malicious: AlienVault OTX provides open access to a global community of threat researchers and security professionals. You can submit votes via the interface, or a simple API: These files are updated once per hour, on the hour. But crowd-sourcing does go some way towards the quick sharing of threat intelligence between the community. These feeds are not a substitute for the scale of auto-extracted command and control domains or the quality of some commercially provided feeds. These votes provide a useful source of malicious indicators, and so I've now put these into a feed in two files:
For example one of the domains seen on only one network below is likely Chinese APT (yes, they're aware). I'd suggest only using domains seen on more than one network.In this case I've used data from freedom of information requests for the top sites requested on a number of UK government networks. There are plenty of people who (perhaps inadvertently) publish this online. However that does require access to network logs of a large network.įor this use case - I've used logs from networks that are publicly available online. A better choice may be to use the top x domains on your network. Sources like this aren't well suited to matching against network data though - sites that are programatically accessed (eg ) often won't be listed in datasets designed to record human traffic. Thankfully Alexa have changed their minds about discontinuing the data-set, for now at least, and there are other similiar sources too. This coincided with Alexa announcing they would stop publishing a commonly used whitelist - the top 1 million sites. I've recently extended the whitelist Threa tCrowd uses when sites are marked as malicious, following feedback that a number of domains had been mistakenly flagged as malicious by users. You are reviewing sandbox reports, and don't want to get common non-malicious domains back in your reports.You are alerting on a list of domains on your network, and don't want to set off thousand of alerts when someone accidentally adds "" to the list.There are a number of times when a white list is useful to security professionals, such as:
0 kommentar(er)
