awesome-threat-intelligence

A curated list of Awesome Threat Intelligence resources

GitHub

8k stars
559 watching
1k forks
last commit: about 2 months ago
Linked from 10 awesome lists

awesomeawesome-listhacktoberfestsecurity

awesome-threat-intelligence / Sources

AbuseIPDB
Alexa Top 1 Million sites
whitelist The top 1 Million sites from Amazon(Alexa). Never use this as a
APT Groups and Operations
Binary Defense IP Banlist
BGP Ranking
Botnet Tracker
BOTVRIJ.EU
BruteForceBlocker
http://danger.rulez.sk/projects/bruteforceblocker/blist.php BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site,
C&C Tracker
CertStream
CCSS Forum Malware Certificates
CI Army List
CINS Score A subset of the commercial list, focused on poorly rated IPs that are not currently present on other threatlists
Cisco Umbrella
Cloudmersive Virus Scan
CrowdSec Console
CrowdSec The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. is able to analyze visitor behavior & provide an adapted response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network
Cyber Cure free intelligence feeds
documentation Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed is available as well
Cyware Threat Intelligence Feeds
DataPlane.org
Focsec.com
documentation Focsec.com provides a API for detecting VPNs, Proxys, Bots and TOR requests. Always up-to-date data helps with detecting suspicious logins, fraud and abuse. Code examples can be found in the
DigitalSide Threat-Intel
STIX2 Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: , and . Reports are published also in the
Disposable Email Domains 2,909 8 days ago
DNS Trails
IP and domain intelligence API available Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a as well
Emerging Threats Firewall Rules
Emerging Threats IDS Rules
ExoneraTor
Exploitalert
FastIntercept
ZeuS Tracker
abuse.ch The Feodo Tracker tracks the Feodo trojan
FireHOL IP Lists
FraudGuard
GreyNoise
HoneyDB
HoneyPy 459 7 months ago HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds
Icewater 379 over 5 years ago
Infosec - CERT-PA
collection and analysis Malware samples , and more. Created and managed by CERT-PA
InQuest Labs
I-Blocklist
IPsum
Miroslav Stampar IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by
James Brine Threat Intelligence Feeds
Kaspersky Threat Data Feeds
Majestic Million
blog Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their
Maldatabase
Malpedia
MalShare.com
Maltiverse
MalwareBazaar
Malware Domain List
Malware Patrol
Malware-Traffic-Analysis.net
MalwareDomains.com
MetaDefender Cloud
Netlab OpenData Project
NoThink!
NormShield Services
NovaSense Threats
Obstracts
OpenPhish Feeds
0xSI_f33d
PhishTank
PickupSTIX
REScure Threat Intel Feed
RST Cloud Threat Intel Feed
Rutgers Blacklisted IPs
SANS ICS Suspicious Domains
SANS ICS The Suspicious Domains Threat Lists by tracks suspicious domains. It offers 3 lists categorized as either , or sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an of domains. Finally, there is a suggested from
SecurityScorecard IoCs 72 6 months ago
Stixify
signature-base 2,457 3 days ago
The Spamhaus project
SophosLabs Intelix
Spur
SSL Blacklist
Statvoo Top 1 Million Sites
Strongarm, by Percipient Networks
SIEM Rules
Talos
observable's reputation Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools. Talos provides an easy to use web UI to check an
threatfeeds.io
threatfox.abuse.ch
Technical Blogs and Reports, by ThreatConnect
Indicators of Compromise This source is being populated with the content from over 90 open source, security blogs. IOCs ( ) are parsed out of each blog and the content of the blog is formatted in markdown
Threat Jammer
ThreatMiner
WSTNPHX Malware Email Addresses
UnderAttack.today
URLhaus
VirusShare
Yara-Rules 4,146 6 months ago
1st Dual Stack Threat Feed by MrLooquer

awesome-threat-intelligence / Formats

CAPEC
CybOX
IODEF (RFC5070)
IDMEF (RFC4765)
MAEC
OpenC2
STIX 2.0
here The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived
TAXII
VERIS
DBIR The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report ( ) and publishes this database online in a GitHub

awesome-threat-intelligence / Frameworks and Platforms

AbuseHelper 117 about 5 years ago
AbuseIO
AIS
Bearded Avenger 182 over 1 year ago
Blueliv Threat Exchange Network
Cortex 1,326 2 days ago
CRITS
CIF
GitHub 227 over 6 years ago The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on
CTIX
EclecticIQ Platform
IntelMQ
IntelOwl 3,784 15 days ago
pyintelowl 59 5 days ago Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools ( ) to automate common jobs usually performed, for instance, by SOC analysts manually
Kaspersky Threat Intelligence Portal
Malstrom 46 over 6 years ago
ManaTI 111 over 5 years ago
MANTIS
Megatron 41 over 7 years ago
MineMeld 379 about 7 years ago
MISP
n6 121 8 months ago
CERT Polska n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by
OpenCTI
OpenIOC
OpenTAXII 189 6 months ago
OSTrICa 306 over 7 years ago
OTX - Open Threat Exchange
Open Threat Partner eXchange
PassiveTotal
Pulsedive
Recorded Future
Scumblr 2,642 almost 5 years ago
STAXX (Anomali)
stoQ
here stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown , but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example
TARDIS 121 about 9 years ago
ThreatConnect
ThreatCrowd
ThreatPipes
ThreatExchange
GitHub 1,173 4 days ago Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in . Reference code can be found at
TypeDB CTI 144 about 1 year ago
blog post TypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together their disparate CTI information into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT&CK as an example dataset to start exploring this threat intelligence platform. More in this
VirusBay
threatnote.io
XFE - X-Force Exchange
Yeti

awesome-threat-intelligence / Tools

ActorTrackr 27 about 7 years ago
GitHub 27 about 7 years ago ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on
AIEngine
AIOCRIOC 30 7 months ago
Analyze (Intezer)
Automater 531 about 2 months ago
BlueBox 39 over 2 years ago
BotScout
bro-intel-generator 75 almost 9 years ago
cabby 97 about 3 years ago
cacador 135 about 6 years ago
Combine 654 over 5 years ago
CrowdFMS 129 almost 6 years ago
CyberGordon
CyBot 315 over 4 years ago
Cuckoo Sandbox 5,540 over 2 years ago
Fenrir 688 over 2 years ago
FireHOL IP Aggregator 32 almost 2 years ago
blocklist-ipsets 3,167 3 days ago Application for keeping feeds from FireHOL with IP addresses appearance history. HTTP-based API service is developed for search requests
Forager 169 over 6 years ago
Gigasheet
GoatRider 137 almost 6 years ago
Google APT Search Engine
this APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on GitHub gist
GOSINT 536 over 1 year ago
hashdd
Harbinger Threat Intelligence 82 almost 9 years ago
Hippocampe 166 about 4 years ago
Hiryu 47 almost 2 years ago
IOC Editor
IOC Finder 157 11 months ago
IOC Fanger (and Defanger) 55 about 1 year ago
ioc_parser 428 over 1 year ago
ioc_writer 200 over 1 year ago
iocextract 500 about 2 months ago
IOCextractor 135 over 8 years ago
ibmxforceex.checker.py 25 about 8 years ago
jager 82 about 1 year ago
Kaspersky CyberTrace
KLara 695 3 months ago
libtaxii 70 over 3 years ago
Loki 3,364 7 months ago
LookUp
Machinae 503 5 months ago
MalPipe 103 almost 6 years ago
MISP Workbench 28 almost 8 years ago
MISP-Taxii-Server 81 about 2 years ago
MSTIC Jupyter and Python Security Tools 1,761 19 days ago
nyx 30 almost 9 years ago
OneMillion 8 over 1 year ago
openioc-to-stix 89 almost 6 years ago
Omnibus 327 5 months ago
OSTIP 28 over 7 years ago
poortego 116 over 6 years ago
PyIOCe 61 over 9 years ago
QRadio 95 over 8 years ago
rastrea2r 116 about 6 years ago
Redline
RITA 2,506 3 months ago
Softrace 2 over 3 years ago
sqhunter
SRA TAXII2 Server 12 almost 2 years ago
Stixvalidator.com
Stixview 72 1 day ago
stix-viz 107 about 6 years ago
TAXII Test Server
threataggregator 79 over 8 years ago
threatcrowd_api 9 over 7 years ago
threatcmd 19 over 7 years ago
Threatelligence 144 over 10 years ago
ThreatIngestor 823 8 months ago
ThreatPinch Lookup
ThreatTracker 66 over 9 years ago
threat_intel 273 about 1 year ago
Threat-Intelligence-Hunter 148 5 months ago
tiq-test 169 almost 9 years ago
YETI 46 over 5 years ago

awesome-threat-intelligence / Research, Standards & Books

APT & Cyber Criminal Campaign Collection 3,661 3 months ago
APTnotes 3,476 9 months ago
ATT&CK
Building Threat Hunting Strategies with the Diamond Model
Cyber Analytics Repository by MITRE
Cyber Threat Intelligence Capability Maturity Model (CTI-CMM)
Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) A new using a stakeholder-first approach and aligned with the to empower your team and create lasting value
Cyber Threat Intelligence Repository by MITRE 1,726 5 months ago
Cyber Threat Intelligence: A Product Without a Process?
Definitive Guide to Cyber Threat Intelligence
The Detection Maturity Level (DML)
The Diamond Model of Intrusion Analysis
The Targeting Process: D3A and F3EAD
Guide to Cyber Threat Information Sharing by NIST
Intelligence Preparation of the Battlefield/Battlespace
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
ISAO Standards Organization
Joint Publication 2-0: Joint Intelligence
Microsoft Research Paper
MISP Core Format (draft)
NECOMA Project
Pyramid of Pain
Structured Analytic Techniques For Intelligence Analysis
Threat Intelligence: Collecting, Analysing, Evaluating
Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives
Traffic Light Protocol
Unit42 Playbook Viewer
Who's Using Cyberthreat Intelligence and How?
WOMBAT Project

Backlinks from these awesome lists: