Published 10 September 2020 12:00 AM
2 min. read

IOCs for you with Vulners

#Features #api #ioc #rst-threat-feed

Everyone around is constantly advised to use free and public feeds without the possibility of using unique. Besides, many of them duplicate each other and in most cases, expertise costs money. But what if you want better result with a minimum of effort?

This is exactly what we did. RST Threat Feed team shared their data with us. Thanks to this great collaboration, Vulners now have IOCs data, including part of a paid dataset!

What's the IOCs from RST Threat Feed?

IOC (Indicator of compromise) is an activity and/or malware detected on a network or endpoint. We can identify these indicators and thus improve our ability to detect attacks.

Each record includes the following information:

  • First/Last seen time stamps;
  • Threat category;
  • Whois data;
  • GEO info;
  • Linked malicious objects;
  • etc.

How to use these IOCs?

But what should those who are not yet mature to buy a full TI platform or subscribe to it?

This data can perfectly complement your TI/IRP/SIEM/etc.:

  • Enrich logs;
  • Enrich SIEM/IRP data;
  • Hive responders;
  • Include in your analyze scripts and tools (Sooty, IntelOwl, etc).

Let's check a few examples.

API output for example with amerikansktgodis[.]se:

import vulners
vulners_api = vulners.Vulners(api_key="YOUR_API_KEY_HERE")
result = vulners_api.search("domain:amerikansktgodis[.]se")

Search with IP:

ip:147[.]78.220.156

Output API with ip search:

import vulners
vulners_api = vulners.Vulners(api_key="YOUR_API_KEY_HERE")
result = vulners_api.search("ip:147.78.220.156")

Search for domain:

type:rst AND tags:malware AND domain:amazon

Output API with domain search:

import vulners
vulners_api = vulners.Vulners(api_key="YOUR_API_KEY_HERE")
result = vulners_api.search("tags:malware AND domain:amazon")

If you have a small organization and you are enriching your data on-demand when alerts appear or in periodic reporting, our free license is enough for you. And to expand your subscription there is a separate section + our mail [email protected].

If you have any questions after testing, then you can contact us.

You are welcome! :)

Feedback -> here