-
Notifications
You must be signed in to change notification settings - Fork 17
Where do I start Feeds
CIF has the ability to generate Threat Intelligence "feeds" from its database of ingested and normalized threats. Minimum characteristics of a CIF feed are:
- Filtered by indicator type (ipv4, fqdn, url, ipv6, email)
- De-duplicated or aggregated by indicator
- Whitelisting data-sets applied
With those minimum characteristics we would expect that people would apply additional filters, examples of these additional filters would be:
- confidence (-c)
- type (--tags botnet)
- time period (--today, --last-day, --firsttime YYYY-MM-DDT00:00:00Z)
- format (-f csv, -f bind, -f snort)
-
indicator type: fqdn, Confidence: 9, Type (tags): phishing, Period: today, Output format: csv
cif --feed --itype fqdn --confidence 9 --tags phishing --today -f csv -
indicator type: fqdn, Confidence: 8, Type (tags): botnet, Period: today, Output format: bind
cif --feed --itype fqdn --confidence 8 --tags botnet --today -f bind
-
indicator type: ipv4, Confidence: 8, Output format: csv
cif --feed --itype ipv4 --confidence 8 --last-day -f csv -
indicator type: ipv4, Confidence: 8, Type (tags): exploit, Output format: csv
cif --feed --itype ipv4 --confidence 9 --tags exploit --last-day -f csv
-
indicator type: url, Confidence: 8, Type (tags): phishing, Period: last-day, Output format: json
cif --feed --itype url --confidence 8 --tags phishing --last-day -f json -
indicator type: url, Confidence: 7, Type (tags): malware, Period: today, Output format: csv
cif --feed --itype url --confidence 7 --tags malware --today -f csv
-
indicator type: email, Confidence: 7, Type (tags): phishing, Period: last-day, Output format: csv
cif --feed --itype email --confidence 7 --tags phishing --last-day -f csv
-
indicator type: ipv6, Confidence: 7, Type (tags): scanner, Period: today, Output format: csv
cif --feed --itype ipv6 --confidence 7 --tags scanner --today -f csv