-
Notifications
You must be signed in to change notification settings - Fork 60
CIF Feeds
CIF has the ability to generate Threat Intelligence "feeds" from its database of ingested and normalized threats. Minimum characteristics of a CIF feed are:
- Filtered by observable type (ipv4, fqdn, url, ipv6, email)
- De-duplicated or aggregated by observable
- Whitelisting data-sets applied
With those minimum characteristics we would expect that people would apply additional filters, examples of these additional filters would be:
- confidence (-c)
- type (--tags botnet)
- time period (--today, --last-day, --firsttime YYYY-MM-DDT00:00:00Z)
- format (-f csv, -f bind, -f snort)
-
Observable type: fqdn, Confidence: 95, Type (tags): phishing, Period: today, Output format: csv
cif --feed --otype fqdn -c 95 --tags phishing --today -f csv
-
Observable type: fqdn, Confidence: 85, Type (tags): botnet, Period: today, Output format: bind
cif --feed --otype fqdn -c 85 --tags botnet --today -f bind
-
Observable type: ipv4, Confidence: 85, Output format: csv
cif --feed --otype ipv4 -c 85 --last-day -f csv
-
Observable type: ipv4, Confidence: 85, Type (tags): exploit, Output format: csv
cif --feed --otype ipv4 -c 95 --tags exploit --last-day -f csv
-
Observable type: url, Confidence: 85, Type (tags): phishing, Period: last-day, Output format: json
cif --feed --otype url -c 85 --tags phishing --last-day -f json
-
Observable type: url, Confidence: 75, Type (tags): malware, Period: today, Output format: csv
cif --feed --otype url -c 75 --tags malware --today -f csv
-
Observable type: email, Confidence: 75, Type (tags): phishing, Period: last-day, Output format: csv
cif --feed --otype email -c 75 --tags phishing --last-day -f csv
-
Observable type: ipv6, Confidence: 75, Type (tags): scanner, Period: today, Output format: csv
cif --feed --otype ipv6 -c 75 --tags scanner --today -f csv