Open/Closed Source Feeds FAQ

Updated 1 month ago by Elvis Hovor

Open source intelligence (OSINT) data feeds are polled at regular intervals. We have optimized the polling rates to reflect the data refresh rate for each OSINT source. 

Closed source intelligence require credentials and keys for setup and configuration.
Several closed source intelligence will return results only if you submit data into your private enclave. They are identified in the table below.Please note that query-based sources only provide intel to IOCs at the time of submission.

Type

Polling Frequency

Intel Source

Report Submission Required

Indicators Retrieved

Source URLs

OSINT

15 mins

EU-CERT

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

https://www.circl.lu/doc/misp/feed-osint/

60 mins

Hail_a_Taxii

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

http://hailataxii.com/taxii-discovery-service/

3 hours

Hybrid Analysis_Public Feed

No

URL, MD5, SHA1, SHA256, MALWARE

https://www.hybrid-analysis.com/feed?json

15 mins

Bambenek

No

IP, MALWARE

http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

15 mins

Abuse.ch Ransomware

No

IP, URL, MALWARE

https://ransomwaretracker.abuse.ch/feeds/csv/

15 mins

Abuse.ch ssl Blacklist

No

IP, URL, MALWARE

https://sslbl.abuse.ch/blacklist/sslipblacklist.csv

15 mins

Abuse.ch IP Blacklist

No

IP, URL, MALWARE

https://sslbl.abuse.ch/blacklist/sslipblacklist.csv

15 mins

AIS - DHS

No

STIX/TAXII - IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

https://taxii.dhs.gov:8443/flare/taxii11/poll

Closed Sources

15 mins

IBM XForce

Yes

IP, URL, MD5, SHA1, SHA256

https://api.xforce.ibmcloud.comhttps://exchange.xforce.ibmcloud.com/search

15 mins

Digital Shadows

No

IP, URL, MD5, SHA1

https://portal-digitalshadows.com/api/incidents/find/intel-incidents/find/intel-threats/find

15 mins

VirusTotal

Yes

IP, URL, MD5, SHA1, SHA256

https://www.virustotal.com/vtapi/v2

15 mins

Crowdstrike Falcon Intelligence

Yes

ALL

https://intelapi.crowdstrike.com/indicator/v2/search/indicator

15 mins

Crowdstrike Falcon Stream

No

ALL

https://firehose.crowdstrike.com

15 mins

Crowdstrike Falcon Detect

No

IP, URL, Domain

https://falconapi.crowdstrike.com/detects/queries/detects/

15 mins

Crowdstrike Falcon Reports

No

ALL

https://intelapi.crowdstrike.com

15 mins

Alien Vault OTX

Yes

IP, URL, MD5, SHA1, SHA256, CVE

https://otx.alienvault.com/api/v1/indicators

15 mins

MISP

No

ALL

15 mins

Farsight DNSDB

Yes

IP, Domain, URL

https://api.dnsdb.info/lookup/rrset/name/www.farsightsecurity.com

15 mins

F-ISAC

No

ALL

https://fisac-signal-v3.jpcert.or.jp/api/

15 mins

FBTX

Yes

IP, URL, MD5, SHA1, SHA256, EMAIL ADDRESS

https://graph.facebook.com/v2.8/threat_descriptors

15 mins

HybridAnalysis

Yes

URL, MD5, SHA1, SHA256, MALWAR

https://www.hybrid-analysis.com/api/search

15 mins

RiskIQ PassiveTotal

Yes

IP, DOMAIN, URL, EMAIL ADDRESS

https://api.passivetotal.org/v2

15mins

RiskIQ Blacklist

Yes

IP, DOMAIN, URL

http://api.riskiq.net/api/blacklist/

15 mins

Recorded Future

Yes

IP, URL, CVE, MD5, SHA1, SHA256, MALWARE

https://api.recordedfuture.com

15 mins

Cisco AMP ThreatGrid Indicator Query

Yes

IP, URL, DOMAIN (extracted from URL), SHA1, SHA256, MD5, REGISTRY KEY

https://panacea.threatgrid.com/api/v2/search/ips/domains/urls/artifacts/registry_key

15 mins

Cisco AMP ThreatGrid Analysis Feeds

No

IP, URL, DOMAIN (extracted from URL), SHA1, SHA256, MD5, REGISTRY KEY

https://panacea.threatgrid.com/api/v2/search/submissions

15 mins

iSight Partners

No

ALL (if present in reports provided by iSight)

https://api.isightpartners.com

15 mins

Flashpoint

No

ALL

15 mins

Joe Sandbox

No

ALL

15 mins

Alienvault OTX Pulse

No

ALL

15 mins

Intel 471 Adversary Intelligence

No

ALL

15 Mins

Intel 471 Alerts Watchlist

No

ALL

15 Mins

Intel 471 Malware Intelligence

No

ALL

15 Mins

Spy Cloud

Yes

IP, URL, DOMAIN, EMAIL ADDRESS (connect with TruSTAR support for access)

Every 2 hours

Recorded Future IP Intelligence

No

ALL

Every 4 hours

Recorded Future Hash Intelligence

No

MD5, SHA1, SHA256

Everyday at 2 pm UTC

Recorded Future URL Intelligence

No

DOMAIN, URL

Everyday at 2 pm UTC

Recorded Future URL Intelligence

No

DOMAIN, URL

Everyday at 2 pm UTC

Recorded Future Vulnerability Intelligence

No

CVE

Every 2 hours

FS-ISAC

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

https://analysis.fsisac.com/taxii-discovery-service

Everyday at 2 pm UTC

CyberSource

Yes

IP, URL, DOMAIN, EMAIL ADDRESS (connect with TruSTAR support for access)

https://ebc.cybersource.com/ebc/DownloadReport

OSINT (RSS Feeds)

15 mins

US-CERT

No

 IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

http://www.us-cert.gov/ncas/all.xml

15 mins

ISC

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

https://isc.sans.edu/rssfeed_full.xml

15 mins

Packetstorm

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE]

https://rss.packetstormsecurity.com

15 mins

Infosec Island

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

http://www.infosecisland.com/rss.html

15 mins

Palo Alto Unit 42

No

IP, URL, MD5, SHA1, SHA256, CVE, DOMAIN, BITCOIN ADDRESSES, SOFTWARE, EMAIL ADDRESS, CIDR BLOCK, REGISTRY KEY and MALWARE

http://feeds.feedburner.com/PaloAltoNetworks

15 mins

Malware Bytes

No

SOFTWARE, MALWARE

https://blog.malwarebytes.com/feed/

15 mins

Broad Analysis

No

IP, DOMAIN

http://www.broadanalysis.com/feed/

How do I integrate closed or open sources that are not available in TruSTAR Marketplace or in the list above?

1) Establish shared understanding of the use-case for the source - For example, Is this information that you are interested in for the detection mission in the SIEM or for enrichment mission in triage / incident response? Or both? 

2) Prioritizing and Refining - Many of our customers have a never-ending and ever-evolving list of sources we are operationalizing. This is nature of intelligence management. As part of the Customer Success process, we create a shared roadmap of requests for our customers and the together execute on the implementation and report out on it in monthly check-ins and quarterly executive business reviews.

3) Acceleration - How quickly we add net new data sources to a customers TruSTAR environment depends on three factors:

  • Existing Backlog of Sources - we maintain a backlog of integrations by popularity with our sharing communities and customer base. Next up for us in Q1 are integrations with Slack, D3, and an expansion of our RiskIQ integration. These will be available for all customers of TruSTAR. We re-prioritize this roadmap every quarter based on requests and share it with our customer base.
  • REST API / Python SDK - Typically, there are some unique sources that customers want to leverage. As a result, we work with our customers to identify the most appropriate way to advance their specific needs, while balancing speed and cost. Some customers want to build these themselves. Some want TruSTAR to do it for them. If the customer wants TruSTAR to do it, we can pursue the following:
    • Enumerate specific sources/integrations and their prices/delivery deadlines in the contract,
    • Create an integrations line-item in the contract and integrations will be scoped and developed via email approval between TruSTAR and BV POC-- TruSTAR will report on the utilization as part of the quarterly business reviews, or
    • Approach each-integration ad-hoc with a separate statement of work and signature process
  • Enclave-Inbox - If a customer has new data sources, but is unable or uninterested in earmarking resources for integration, we typically look to maximize our email-ingest vector. Ingesting and parsing data through email-ingest is one of the most popular ways to get data into the platform without expending engineering resources.


How Did We Do?