RST THREAT FEED

Indicators for professionals

Our service is designed for simplicity. We collect, aggregate and normalise various threat intel sources. Most of the time the original opensource lists do not provide any context information which is crucial to do real-world investigations or even is important whether you try to decide to block or not the connection on a firewall. Also, these sources are irregular or may not contain information on why that particular indicator has become a part of the list.

The professional feed we provide gives full access to the daily aggregated feeds from more than 52 sources. Every indicator in our feed is enriched to include information why it is in the list; when it has been seen first time and last time; which company owns the IP address or domain name and so on. Moreover, we cross-verify indicators and rank them based on their type, frequency and potential weight. The score helps to determine how actual and important a threat is.


Download sample
Features Free Enterprise
Full dump every 24 hours
Verification
Enrichment
Scoring
SIEM Integration



Enterprise Feed Data Structure


{
  {
  "ip": {
    "v4": "14.33.133.188",  - type | value
    "num": "237077948"      - value as Integer (comparison can be faster)
  },
  "fseen": 1569715200,      - first seen timestamp
  "lseen": 1569801600,      - last seen timestamp
  "collect": 1571184000,    - indicator collection timestamp
  "tags": {                 - tags in order to categorize indicators
    "str": [
      "shellprobe",
      "generic",
      "botnet"
    ],
    "codes": [0,11,4]       - IDs of the tags
                              (to be used to minimize memory usage in SIEM)
  },
  "asn": {
    "num": 4766,            - An autonomous system number related to the indicator
    "firstip": {
      "netv4": "14.32.0.0", - The first address in that ASN
      "num": "236978176"    - The first address as an Integer
    },
    "lastip": {
      "netv4": "14.33.166.39", - The last address in that ASN
      "num": "237086247"       - The last address as an Integer
    },
    "cloud": "",               - is this ASN related to a well-known cloud provider
    "domains": 480010,         - a number of domain names registered in that ASN
    "org": "Korea Telecom",    - organization
    "isp": "KIXSASKR"          - provider
  },
  "geo": {                     - geo data
    "city": "Suwon",
    "country": "South Korea",
    "region": "Gyeonggido"
  },
  "related": {
    "domains": ["8d60f888.ngrok.io"]  - any related domains from our threat lists that use that IP
  },
  "score": {                   - scoring
    "total": 66,               - total score (High risk - score 55 or higher)
                                 
    "src": 81.94,              - weight by source:
                                 how important that sources were according to our algorithm
                                 
    "tags": 0.83,              - coefficient of tags:
                                 how important the categories of the indicator (malware or spam, etc)
                                 
    "frequency": 0.98          - coefficient of frequency:
                                 how often we have seen that indicator before
  }
  "fp": {                      - false positive suggestions
    "alarm": "false",          - is it a false positive alarm: false/true
    "descr": ""                - if alarm == true, the descr contains description
                                 why it was assumed as FP
  }
}
{
  {
  "domain": "32rlav36ca.laserhairremovalindia.com",   - value
  "fseen": 1576108800,    - first seen timestamp
  "lseen": 1576713600,    - last seen timestamp
  "collect": 1576800000,  - indicator collection timestamp
  "tags": {               - tags in order to categorize indicators
    "str": [
      "generic",
      "malware"
    ],
    "codes": [0,10]        - IDs of the tags
                            (to be used to minimize memory usage in SIEM)
  },
  "resolved": {           - additional information - whois and dns enrichment
    "ip": {
      "a": [              - DNS A records
        "46.21.147.26"
      ],
      "alias": [],        - if the domain name is a CNAME record,
                            then it contains the list of corresponding A 
                            
      "cname": []         - DNS CNAME records
    },
    "whois": {            - WHOIS data
      "created": "0000-00-00 00:00:00",
      "updated": "0000-00-00 00:00:00",
      "expires": "0000-00-00 00:00:00",
      "age": 0,
      "registrar": "",
      "registrant": "",
      "havedata": "none"  - "false" - whois response was that the domain is not registered
                            "true" - whois response was that the domain is registered
                            "none" - request to whois was not performed
    }
  },
  "score": {              - scoring
    "total": 55,          - total score
                                 
    "src": 71.48,         - weight by source:
                            how important that sources were according to our algorithm
                                 
    "tags": 0.89,         - coefficient of tags:
                            how important the categories of the indicator are
                            
    "frequency": 0.88     - coefficient of frequency:
                            how often we have seen that indicator before
  },
  "fp": {                 - false positive suggestions
    "alarm": "false",     - is it a false positive alarm: false/true
    "descr": ""           - if alarm == true, the descr contains description
                            why it was assumed as FP
  }
}

Have any questions left?

We are happy to answer and provide more information!

Ask a question

Pricing


$0 /mon

Free Feed

Full dump every 24 hours
Verification
Enrichment
Scoring
SIEM Integration
Please contact us

Enterprise

IP and Domains

Full dump every 24 hours
Verification
Enrichment
Scoring
SIEM Integration