Integrate Cyware Threat Intelligence Feeds
Cyware Threat Intelligence Feeds provide valuable threat data intelligence gathered from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. The threat intelligence feeds provide latest information on malicious malware hashes, IPs, and domains uncovered across the globe in real-time.
Benefits
Understand the threat landscape and how it can affect your organization through a flow of STIX/TAXII based feeds.
Learn from bulk indicators of compromise (IOCs) to improve your understanding and protect your systems and sensitive information from attacks.
Accelerate research by quickly spotting potential threats and blocking any suspicious communications or connection requests.
Empower analysts with an intelligence-driven approach to security operations (SecOps) to make informed decisions and enhance defensive measures.
Enhance your threat intelligence by receiving reliable threat data consistently and efficiently prioritize security risks from various sources.
To integrate Cyware Threat Intel Feeds with Intel Exchange, follow these steps:
Get Cyware Threat Intel Feeds Credentials
Cyware provides threat intel feeds using the Trusted Automated eXchange of Indicator Information (TAXII) server. To integrate Cyware Threat Intel Feeds with Intel Exchange, you must have the TAXII 2.x discovery URL and the authentication credentials.
To get Cyware Threat Intel Feeds credentials, follow these steps:
Go to the official Free Cyware Threat Intelligence Feeds page.
Click GET ACCESS NOW.
Enter your email address.
Select I'm not a robot to confirm that the access is requested by a human.
Click Continue. An OTP is sent to your email address.
Enter the OTP and click LOGIN.
You can view the username, password, and the TAXII 2.1 URL of Cyware Threat Intel Feeds. The credentials are sent to your email address with the threat feed collection URL and the IDs of the threat intel collections provided by Cyware Threat Intel Feeds.
Configure Cyware Threat Intel Feeds as an STIX source
Cyware shares threat intel feeds in the STIX 2.1 format. To retrieve the feeds, you must configure an STIX source in Intel Exchange using the username, password, and the TAXII 2.1 URL you received after getting access to Cyware Threat Intel Feeds.
Before you Start
You must have the username, password, and the TAXII 2.1 URL of Cyware Threat Intel Feeds.
Steps
To configure a STIX source, follow these steps:
Go to Administration > Integration Management and click STIX under FEED SOURCES.
Click Add STIX Source.
Enter the following details:
Source Name: Enter a unique name within 50 characters to identify the source. For example, Cyware Threat Intel Feeds.
Description: Enter a source description within 300 characters which describes key details and functions of the source.
Discovery Service URL: Enter the TAXII 2.1 URL for Cyware Threat Intel Feeds. For example,
https://threatfeed.cyware.com/ctixapi/ctix21/taxii2/
.Verify SSL: Select this option to secure the connection between the Intel Exchange and Cyware Threat Intel Feeds servers.
Note
If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection. We recommend you select this option.
Confidence: Enter a default source Confidence Score between 0 and 100. The default score is added to the feeds that do not include a Confidence Score from the source.
Custom Scores: Enter the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.
Data Marking Type: Select the default access control marking type to assign to the feeds received from the Cyware Threat Intel Feeds server. The default marking type is applied if the ingested feeds do not include data marking details. Select one of the following marking types:
TLP: Select TLP to mark objects under Traffic Light Protocol (TLP). By default, TLP Amber is selected.
ACS: Select ACS to mark objects under Access Control Specification (ACS). You can also upload the default ACS identity for the objects in JSON format and click Validate to verify if the uploaded JSON data is valid.
Note
You can select the ACS marking type if the administrator has enabled ACS as the data marking preference in Administration > Configuration > General Settings > Data Marking Preference.
STIX Version: Select the STIX 2.1 version.
Select Category: Select the category as Open Source Feeds.
Authentication Type: Select the authentication type as Basic.
Username: Enter the username of the TAXII credentials you received from Cyware Threat Intelligence Feeds.
Password: Enter the password of the TAXII credentials you received from Cyware Threat Intelligence Feeds.
Click Add STIX Source.
After the STIX source is configured successfully, click the source to view the list of collections provided by Cyware Threat Intelligence Feeds. Cyware gathers open-source threat intel from various sources and stores them in separate STIX collections. You can enable the collections to retrieve feeds from specific sources.
You can use the following collection URL as the Discovery Service URL to configure a STIX source to retrieve feeds from a specific Cyware Threat Intelligence Feeds collection: https://threatfeed.cyware.com/ctixapi/ctix21/collections/{collection_id}
In this URL, replace {collection_id}
with the collection ID of the intel provider. For example, to retrieve feeds from ThreatFox, use the following URL as the Discovery Service URL: https://threatfeed.cyware.com/ctixapi/ctix21/collections/46cc884e-fd37-4436-95b3-ac73710df3dc
.
For a list of open-source intel feed providers and the collection IDs, refer to the following table.
Note
The collections on this list may vary and may not be up to date. This list will be updated frequently based on any recent addition or removal.
Open-source Feed Provider | Description | Collection ID | API URL |
---|---|---|---|
ThreatFox | ThreatFox is a free platform with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. | 46cc884e-fd37-4436-95b3-ac73710df3dc | https://threatfox-api.abuse.ch/api/v1/ |
default | 52ab6ed4-83d0-42fb-891c-708221648181 | ||
Malware Bazaar | MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community. | 1ae57e3d-810c-450c-a97f-eb60b63c896c | https://bazaar.abuse.ch/export/csv/recent/ |
Das Malwerk | 694bc05f-9568-4738-ac66-7c3fb119ff75 | ||
Stop Forum Spam | Stop Forum Spam is a free service that records ip and domain based reports of spam on forums, blogs and wikis | 8eafbfb4-6213-4ff8-9de4-978aa5fdc59f | https://www.stopforumspam.com/downloads/toxic_ip_cidr.txt https://www.stopforumspam.com/downloads/toxic_domains_whole.txt |
Ipsum | IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. | ebf09405-9e6d-45ae-a6c0-038492af3ee8 | https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt |
Neo23x0 | List of latest Malicious File Hashes, Ips and domains From Neo23x0 | ffa5a722-0e00-41de-9b70-b1fbeed9ff9f | https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/c2-iocs.txt https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/hash-iocs.txt https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-hash-iocs.txt |
Dataplane | Dataplane is a provider of data (signals), analysis, and statistics that increases the awareness which leads to a more robust and secure Internet. | 8f14d378-f537-491f-ae82-68580fcfb73a | Base URL: https://dataplane.org/ Endpoints:
|
VoIPBL | VoIPBL is a distributed VoIP blacklist that is aims to protect against VoIP Fraud and minimizing abuse for networks that have publicly accessible PBX's. | 34e7e24a-1bad-48f1-b88d-bdfd5f99a6bd | https://voipbl.org/update/ |
Darklist De | 4656fc49-0ff8-460e-8aff-1be93b0a488f | ||
Sblam | ab7c3de4-5368-4e87-9dc4-32ff37f14590 | ||
Multiproxy | 3b4af595-73c8-4eff-8c7a-9323d3969b44 | ||
Project HoneyPot | Project Honey Pot is a distributed system designed to identify spammers and the spambots they utilize to scrape addresses from websites. It offers a list of Malicious IPs collected from their worldwide network of honey pots. | 557bb369-e002-4d99-9908-d709a45b9e56 | https://www.projecthoneypot.org/list_of_ips.php Query Parameters:
|
CINS Score | CINS is a Threat Intelligence database that provides an accurate and timely score for any IP address in the world by leveraging data from a network of Sentinel devices and other trusted InfoSec sources. | c0cf066e-3ad7-4723-8034-15cd28d4194a | https://cinsscore.com/list/ci-badguys.txt |
Pgl Yoyo | 81a20383-0147-4b3a-94a9-ebf13a12ff88 | ||
Brute Force Blocker | Bruteforceblocker provides a list of blocked IPs. | dd37a39e-42cc-42a1-9ca5-fd494b8a3100 | https://danger.rulez.sk/projects/bruteforceblocker/blist.php |
Botscout | Malicious bot names with emails with related ips. | ed26345f-365c-401c-919b-c1c216e78b00 | https://botscout.com/last_caught_cache.txt |
Cyware Vulnerability Feed | 6ab49abf-a67b-42cd-a90c-045644a515c0 | ||
Talos Intelligence | Talos is Cisco's threat intelligence organization, an elite group of security experts devoted to providing superior protection. Detection Research consists of vulnerability and malware analysis that leads to the development. | 007cc299-9600-4ff4-ab0b-83c734903041 | https://talosintelligence.com/documents/ip-blacklist |
Dshield | b47bafb6-f8b3-4707-9c10-1fbe9550e2a3 | ||
Cyber Cure | CyberCure offers free cyber threat intelligence feeds that includes list of IP addresses that are currently infected, list of urls used by malware and list of hash files of known malware that is currently spreading. | 8de5d7d7-1c5a-4d81-9110-aa2e10bd74dc | https://api.cybercure.ai/get_hash https://api.cybercure.ai/get_ips https://api.cybercure.ai/get_url |
Emerging Threats Fwip | af63b2ef-2b08-4d11-a2a4-2c913eafebce | ||
Tor Feed | List of latest Malicious File Hashes, Ips and domains From Tor Feed. | 5ea46dc9-bdff-45c8-a7b1-bfd925799e80 | https://check.torproject.org/exit-addresses |
Feed Hybrid Analysis | Hybrid Analysis combines runtime data with extensive static analysis of memory dumps to extract annotated disassembly listings and deduct additional IOCs. | a0b48a03-d058-4f2a-91fe-c210cf8ddd8d | https://www.hybrid-analysis.com/api/v2/feed/latest |
Honey Db | HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds. | 0824ead0-73f0-4b49-83ad-109077a2a4a5 | https://honeydb.io/api/bad-hosts |
Botvrij | Botvrij is used to fetch a list of malicious ips, domains, filenames, hashes and urls. | c208ded2-ecac-41d3-9d68-9c4941bc0520 | Base URL: = https://www.botvrij.eu/ Endpoints:
|
VirusShare | 57bb261a-417e-47df-abb5-db5755db969a | ||
Binary Defense Banlist | edfb8789-4123-405b-a074-941c98ff1037 | ||
Phishtank | PhishTank is a collaborative clearing house for data and information about phishing on the Internet.\n Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge. | ce1d5d4a-4ea8-4479-a0c0-bc7dbdffe6e1 | https://data.phishtank.com/data/online-valid.json |
Malshare | Malshare is a community driven public malware repository. | 5c196ffb-5e07-42e6-b633-7d6e07f4120b | https://malshare.com/daily/malshare.current.all.txt |
Abuse.ch SSL | SL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of bad SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section. Intel Exchange integration with SSL Blacklist will allow you to get intel feeds. | 9dc267ed-e7cd-4e2c-8d0e-6536a8b68d53 | https://sslbl.abuse.ch/blacklist/sslblacklist.csv https://sslbl.abuse.ch/blacklist/sslipblacklist.csv |
Blocklist De | Blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, FTP-, Webserver- and other services. The mission is to report any and all attacks to the respective abuse departments of the infected PCs/servers, to ensure that the responsible provider can inform their customer about the infection and disable the attacker. | f50c9e8a-2fdd-49be-884d-547713b9ec37 | Base URL: https://lists.blocklist.de/lists/ Endpoints:
|
OpenPhish | c459cb37-a52f-4e22-9e61-e5d781a2d6d6 | ||
Greensnow | Green Snow harvests a large number of IPs from different computers located around the world. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel. | 9142afa9-a320-4ae9-b2e5-9f4cebbf0b02 | https://blocklist.greensnow.co/greensnow.txt |
Dan Tor | A full tor node list (not more than one hour old) in script-readable format. | 7b2df77e-09d7-4311-bebc-6a4f3a18c417 | https://www.dan.me.uk/torlist/ |
Url Haus | 8a8723f3-1239-4d30-b9a5-3dc44a513b50 | ||
Vxvault | VXVault is a used to fetch the list of malicious url. | 62b47777-1416-493a-aaa0-cb500c5a64c8 | http://vxvault.net/URL_List.php |
Snort Feed | f9f25677-588a-4db7-b3d5-42bab03c4d19 | ||
Pop3 Gropers | Pop3 Gropers is used to fetch all the malicious ip addresses and hashes. | 39d4411c-5727-4d79-89d6-12bc3a2ae129 | https://home.nuug.no/~peter/pop3gropers.txt |
Feodo | Feodo Tracker is used to track botnet C&C servers associated with the Feodo Trojan (also known as Cirdex / Bugat). | 23adb570-86e8-4307-95c4-ca503247933b | https://feodotracker.abuse.ch/downloads/ipblocklist.json |
Emerging Threats | c87ba8b3-321a-440b-9f7c-f06ff7e9fe51 | ||
Cybercrime Tracker | Cybercrime Tracker provides comprehensive intelligence on cyber threats, including C&C tracking, malware analysis, and TDS monitoring. | 8332ed3d-935a-4211-8da1-7f6ddc40fd97 | http://cybercrime-tracker.net/csv.php |
Coin Blocker | Simple lists that can help prevent cryptomining in the browser or other applications. | da01d857-df1a-484a-b5fa-f0426b5880af | Base URL: https://gitlab.com/ZeroDot1/CoinBlockerLists/-/raw/master/ Endpoints:
|
Note
The Cyware Premium Feeds collection is exclusively available for Cyware customers. To obtain the collection ID of Cyware Premium Feeds, contact Cyware support.
Enable Feed Collection
Enable the Cyware Threat Intelligence Feeds collections to retrieve intel feeds into Intel Exchange.
Important
The Confidence Score of the feeds retrieved from Cyware Threat Intelligence Feeds is for informational purposes only. Cyware only retrieves threat intel from the listed collections and does not validate its accuracy. We recommend you do not take action or create rules based on the source Confidence Score of these feeds.
If you want to create rules to take actions based on the Confidence Score of these feeds, follow these recommendations:
Set the source scoring weightage of the configured STIX source (Cyware Threat Intel Feeds) based on your reliability on the source in the CTIX Confidence Score Engine configuration. For more information, see Assign Source Scoring.
Create rules based on the CTIX Confidence Score of the Cyware Threat Intelligence feeds. For more information, see Automation Rules.
To enable Cyware Threat Intelligence Feeds collection, follow these steps:
Go to Administration > Integration Management and click STIX under FEED SOURCES.
Search and select the STIX source name you configured for Cyware Threat Intelligence Feeds. For example, Cyware Threat Intel Feeds.
Choose a collection and click More Actions (vertical ellipses) > Edit Poll Configuration.
Enter the following details:
Select Polling Type: Select from one of the following polling types to define when to poll the data:
Manual: Allows you to manually poll from the source collection. By default, Manual is selected as the polling type.
Automatic: Allows you to automatically poll feeds at specific time intervals. Enter a frequency in minutes between 60 and 10080 minutes in Frequency. The default polling time is 240 minutes.
Note
We recommend you set a polling frequency of 1440 minutes (24 hours).
Confidence Score: Set a default Confidence Score based on your reliability of the source. This score is assigned to the feeds that do not include a source confidence. By default, the default Confidence Score is set to 100.
Start Date and Time: Enter a date and time within 15 days from the current date when Intel Exchange will begin polling feeds.
Click Update.
The polling configuration is updated and the feed collection is enabled. If you have set the polling type as Automatic, then the collection will automatically retrieve feeds from the collection. If you have set the polling type as Manual, then click More Actions (vertical ellipses) and select Poll Now to retrieve feeds.