{"id":13449224,"url":"https://github.com/hslatman/awesome-threat-intelligence","last_synced_at":"2025-09-27T10:32:10.537Z","repository":{"id":37431308,"uuid":"48368290","full_name":"hslatman/awesome-threat-intelligence","owner":"hslatman","description":"A curated list of Awesome Threat Intelligence resources","archived":false,"fork":false,"pushed_at":"2024-05-15T11:15:53.000Z","size":17650,"stargazers_count":7407,"open_issues_count":27,"forks_count":1406,"subscribers_count":551,"default_branch":"main","last_synced_at":"2024-05-23T04:06:33.876Z","etag":null,"topics":["awesome","awesome-list","hacktoberfest","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hslatman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-12-21T11:31:04.000Z","updated_at":"2024-06-01T10:10:30.070Z","dependencies_parsed_at":"2024-01-12T18:37:28.723Z","dependency_job_id":"e5590121-abb5-4aaf-832b-ec6890363254","html_url":"https://github.com/hslatman/awesome-threat-intelligence","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hslatman%2Fawesome-threat-intelligence","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hslatman%2Fawesome-threat-intelligence/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hslatman%2Fawesome-threat-intelligence/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hslatman%2Fawesome-threat-intelligence/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hslatman","download_url":"https://codeload.github.com/hslatman/awesome-threat-intelligence/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219871986,"owners_count":16554477,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-list","hacktoberfest","security"],"created_at":"2024-07-31T06:00:33.696Z","updated_at":"2025-09-27T10:32:10.528Z","avatar_url":"https://github.com/hslatman.png","language":null,"funding_links":[],"categories":["Related Awesome Lists","Uncategorized","Others","Misc","Other Awesome Lists","HarmonyOS","Other","\u003ca id=\"f56806b5b229bdf6c118f5fb1092e141\"\u003e\u003c/a\u003e威胁情报","AWESOME LISTS","Awesome Repositories","To Sort","Threat Intelligence","🎩 Hacking","📚 Learning \u0026 Resources","Related Lists","Table of Contents","扫描器、资产收集、子域名","[↑](#-table-of-contents) Related Awesome Lists","Must read","awesome-list","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","📘 Valuable Repositories","威胁情报","Other Awesome Security Lists","Audi-1's SQLi-LABS","General","Threat intelligence","Themed Directories","Programming/Comp Sci/SE Things","Awesome lists","Trust \u0026 Safety","Here is a collection of hackers, pentesters, security researchers, scripts and more:"],"sub_categories":["Security \u0026 Compliance","Uncategorized","More Awesome Repos (actively maintained)","Other Security Awesome Lists","Windows Manager","Other Resources","\u003ca id=\"91dc39dc492ee8ef573e1199117bc191\"\u003e\u003c/a\u003e收集","Conferences","Awesome Repositories","网络服务_其他","[↑](#-table-of-contents) Telegram","Endpoints hardening:","威胁狩猎","Cloud","Penetration Testing Report Templates","[↑](#-table-of-contents) GitHub","CTF Courses","Secure Sharing","Threat hunting","OSINT (Open Source Intelligence)","CTF Repos","Threat Intelligence"],"readme":"# awesome-threat-intelligence\nA curated list of awesome Threat Intelligence resources\n\nA concise definition of Threat Intelligence: *evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard*.\n\nFeel free to [contribute](CONTRIBUTING.md).\n\n- [Sources](#sources)\n- [Formats](#formats)\n- [Frameworks \u0026 Platforms](#frameworks-and-platforms)\n- [Tools](#tools)\n- [Research, Standards \u0026 Books](#research)\n\n\n## Sources\n\nMost of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats.\nSome consider these sources as threat intelligence, opinions differ however.\nA certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.\n\n\u003ctable\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://feed.ellio.tech\" target=\"_blank\"\u003eELLIO: IP Feed (community free version)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A threat list of known malicious IP addresses anticipated to pose potential threats to your network in the near future, known benign scanners, and IP addresses of actors with unknown intent. It is provided with a 24-hour delay for personal, non-commercial use but still provides exceptional protection compared to other open IP threat lists/feeds..\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.abuseipdb.com/\" target=\"_blank\"\u003eAbuseIPDB\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It's mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online..\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml\" target=\"_blank\"\u003eAPT Groups and Operations\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A spreadsheet containing information and intelligence about APT groups, operations and tactics.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.binarydefense.com/banlist.txt\" target=\"_blank\"\u003eBinary Defense IP Banlist\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Binary Defense Systems Artillery Threat Intelligence Feed and IP Banlist Feed.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.circl.lu/projects/bgpranking/\" target=\"_blank\"\u003eBGP Ranking\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Ranking of ASNs having the most malicious content.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://intel.malwaretech.com/\" target=\"_blank\"\u003eBotnet Tracker\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Tracks several active botnets.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.botvrij.eu/\"\u003eBOTVRIJ.EU\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://danger.rulez.sk/index.php/bruteforceblocker/download/\" target=\"_blank\"\u003eBruteForceBlocker\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, \u003ca href=\"http://danger.rulez.sk/projects/bruteforceblocker/blist.php\"\u003ehttp://danger.rulez.sk/projects/bruteforceblocker/blist.php\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e \n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt\" target=\"_blank\"\u003eC\u0026amp;C Tracker\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A feed of known, active and non-sinkholed C\u0026amp;C IP addresses, from Bambenek Consulting. Requires license for commercial use.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://certstream.calidog.io/\" target=\"_blank\"\u003eCertStream\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Real-time certificate transparency log update stream. See SSL certificates as they're issued in real time.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.ccssforum.org/malware-certificates.php\" target=\"_blank\"\u003eCCSS Forum Malware Certificates\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://cinsscore.com/list/ci-badguys.txt\" target=\"_blank\"\u003eCI Army List\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A subset of the commercial \u003ca href=\"http://cinsscore.com/\"\u003eCINS Score\u003c/a\u003e list, focused on poorly rated IPs that are not currently present on other threatlists.\n \u003c/td\u003e\n \u003c/tr\u003e \n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://s3-us-west-1.amazonaws.com/umbrella-static/index.html\" target=\"_blank\"\u003eCisco Umbrella\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS).\n\t\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cloudmersive.com/virus-api\" target=\"_blank\"\u003eCloudmersive Virus Scan\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cloudmersive Virus Scan APIs scan files, URLs, and cloud storage for viruses. They leverage continuously updated signatures for millions of threats, and advanced high-performance scanning capabilities. The service is free, but requires you register for an account to retrieve your personal API key.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://app.crowdsec.net/\" target=\"_blank\"\u003eCrowdSec Console\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. \u003ca href=\"https://crowdsec.net\" target=\"_blank\"\u003eCrowdSec\u003c/a\u003e is able to analyze visitor behavior \u0026 provide an adapted response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.cybercure.ai/\" target=\"_blank\"\u003eCyber Cure free intelligence feeds\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed \u003ca href=\"https://docs.cybercure.ai\" target=\"_blank\"\u003edocumentation\u003c/a\u003e is available as well.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cyware.com/community/ctix-feeds\" target=\"_blank\"\u003eCyware Threat Intelligence Feeds\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cyware’s Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Our threat intel feeds are fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://dataplane.org/\" target=\"_blank\"\u003eDataPlane.org\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n DataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://focsec.com\" target=\"_blank\"\u003eFocsec.com\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Focsec.com provides a API for detecting VPNs, Proxys, Bots and TOR requests. Always up-to-date data helps with detecting suspicious logins, fraud and abuse. Code examples can be found in the \u003ca href=\"https://docs.focsec.com\" target=\"_blank\"\u003edocumentation\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\t\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://osint.digitalside.it/\" target=\"_blank\"\u003eDigitalSide Threat-Intel\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: \u003ca href=\"https://osint.digitalside.it/Threat-Intel/stix2/\" target=\"_blank\"\u003eSTIX2\u003c/a\u003e, \u003ca href=\"https://osint.digitalside.it/Threat-Intel/csv/\" target=\"_blank\"\u003eCSV\u003c/a\u003e and \u003ca href=\"https://osint.digitalside.it/Threat-Intel/digitalside-misp-feed/\" target=\"_blank\"\u003eMISP Feed\u003c/a\u003e. Reports are published also in the \u003ca href=\"https://github.com/davidonzo/Threat-Intel/\" target=\"_blank\"\u003eproject's Git repository\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/martenson/disposable-email-domains\"\u003eDisposable Email Domains\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A collection of anonymous or disposable email domains commonly used to spam/abuse services.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://securitytrails.com/dns-trails\"\u003eDNS Trails\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a \u003ca href=\"https://securitytrails.com/\"\u003eIP and domain intelligence API available\u003c/a\u003e as well. \n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://rules.emergingthreats.net/fwrules/\" target=\"_blank\"\u003eEmerging Threats Firewall Rules\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A collection of rules for several types of firewalls, including iptables, PF and PIX.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://rules.emergingthreats.net/blockrules/\" target=\"_blank\"\u003eEmerging Threats IDS Rules\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A collection of Snort and Suricata \u003ci\u003erules\u003c/i\u003e files that can be used for alerting or blocking.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://exonerator.torproject.org/\" target=\"_blank\"\u003eExoneraTor\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.exploitalert.com/\" target=\"_blank\"\u003eExploitalert\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Listing of latest exploits released.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://intercept.sh/threatlists/\" target=\"_blank\"\u003eFastIntercept\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n\t Intercept Security hosts a number of free IP Reputation lists from their global honeypot network.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://feodotracker.abuse.ch/\" target=\"_blank\"\u003eZeuS Tracker\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Feodo Tracker \u003ca href=\"https://abuse.ch/\" target=\"_blank\"\u003eabuse.ch\u003c/a\u003e tracks the Feodo trojan.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://iplists.firehol.org/\" target=\"_blank\"\u003eFireHOL IP Lists\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n 400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://fraudguard.io/\" target=\"_blank\"\u003eFraudGuard\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://greynoise.io/\" target=\"_blank\"\u003eGreyNoise\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n GreyNoise collects and analyzes data on Internet-wide scanning activity. It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms. \n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://honeydb.io/\" target=\"_blank\"\u003eHoneyDB\u003c/a\u003e\n \u003c/td\u003e \n \u003ctd\u003e\n HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the \u003ca href=\"https://github.com/foospidy/HoneyPy\" target=\"_blank\"\u003eHoneyPy\u003c/a\u003e honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/SupportIntelligence/Icewater\" target=\"_blank\"\u003eIcewater\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n 12,805 Free Yara rules created by Project Icewater.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://infosec.cert-pa.it\" target=\"_blank\"\u003eInfosec - CERT-PA\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Malware samples \u003ca href=\"https://infosec.cert-pa.it/analyze/submission.html\" target=\"_blank\"\u003ecollection and analysis\u003c/a\u003e, \u003ca href=\"https://infosec.cert-pa.it/analyze/statistics.html\" target=\"_blank\"\u003eblocklist service, \u003ca href=\"https://infosec.cert-pa.it/cve.html\"\u003evulnerabilities database\u003c/a\u003e and more. Created and managed by CERT-PA.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://labs.inquest.net\" target=\"_blank\"\u003eInQuest Labs\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.iblocklist.com/lists\" target=\"_blank\"\u003eI-Blocklist\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt\" target=\"_blank\"\u003eIPsum\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by \u003ca href=\"https://twitter.com/stamparm\"\u003eMiroslav Stampar\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n\t\u003ctd\u003e\n \u003ca href=\"https://jamesbrine.com.au\" target=\"_blank\"\u003eJames Brine Threat Intelligence Feeds\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n\t\tJamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including SSH, FTP, RDP, GIT, SNMP and REDIS. The previous day's IOCs are available in STIX2 as well as additional IOCs such as suspicious URIs and newly registered domains which have a high probaility of use in phishing campaigns.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://support.kaspersky.com/datafeeds\" target=\"_blank\"\u003eKaspersky Threat Data Feeds\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\nContinuously updated and inform your business or clients about risks and implications associated with cyber threats. The real-time data helps you to mitigate threats more effectively and defend against attacks even before they are launched. Demo Data Feeds contain truncated sets of IoCs (up to 1%) compared to the commercial ones\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://majestic.com/reports/majestic-million\" target=\"_blank\"\u003eMajestic Million\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their \u003ca href=\"https://blog.majestic.com/development/majestic-million-csv-daily/\" target=\"_blank\"\u003eblog\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://maldatabase.com/\" target=\"_blank\"\u003eMaldatabase\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Maldatabase is designed to help malware data science and threat intelligence feeds. Provided data contain good information about, among other fields, contacted domains, list of executed processes and dropped files by each sample. These feeds allow you to improve your monitoring and security tools. Free services are available for Security Researchers and Students. \n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://malpedia.caad.fkie.fraunhofer.de/\" target=\"_blank\"\u003eMalpedia\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\nThe primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research. \n \u003c/td\u003e\n \u003c/tr\u003e \n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.malshare.com/\" target=\"_blank\"\u003eMalShare.com\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The MalShare Project is a public malware repository that provides researchers free access to samples.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.maltiverse.com/\" target=\"_blank\"\u003eMaltiverse\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great IoC bulk query service.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://bazaar.abuse.ch/\" target=\"_blank\"\u003eMalwareBazaar\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.\n \u003c/td\u003e\n \u003c/tr\u003e\t\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.malwaredomainlist.com/\" target=\"_blank\"\u003eMalware Domain List\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.malwarepatrol.net/\" target=\"_blank\"\u003eMalware Patrol\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Malware Patrol provides block lists, data feeds and threat intelligence to companies of all sizes. Because our specialty is cyber threat intelligence, all our resources go into making sure it is of the highest quality possible. We believe a security team and it's tools are only as good as the data used. This means our feeds are not filled with scraped, unverified indicators. We value quality over quantity. \n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://malware-traffic-analysis.net/\" target=\"_blank\"\u003eMalware-Traffic-Analysis.net\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This blog focuses on network traffic related to malware infections. Contains traffic analysis exercises, tutorials, malware samples, pcap files of malicious network traffic, and technical blog posts with observations.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.malwaredomains.com/\" target=\"_blank\"\u003eMalwareDomains.com\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.opswat.com/developers/threat-intelligence-feed\" target=\"_blank\"\u003eMetaDefender Cloud\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n MetaDefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by MetaDefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003ca href=\"https://blog.netlab.360.com/tag/english/\"\u003eNetlab OpenData Project\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Netlab OpenData project was presented to the public first at ISC' 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner and DRDoS Reflector.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.nothink.org\"\u003eNoThink!\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003eSNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni's Honeypots\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://services.normshield.com\" target=\"_blank\"\u003eNormShield Services\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.\n \u003c/td\u003e\n \u003c/tr\u003e \n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://novasense-threats.com\" target=\"_blank\"\u003eNovaSense Threats\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n NovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse, botnets, DoS attacks and more.\n \u003c/td\u003e\n \u003c/tr\u003e \n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.obstracts.com/\" target=\"_blank\"\u003eObstracts\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The RSS reader for cybersecurity teams. Turn any blog into structured and actionable threat intelligence.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://openphish.com/phishing_feeds.html\" target=\"_blank\"\u003eOpenPhish Feeds\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://feed.seguranca-informatica.pt/index.php\" target=\"_blank\"\u003e0xSI_f33d\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Free service for detecting possbible phishing and malware domains, blacklisted IPs within the Portuguese cyberspace.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.phishtank.com/developer_info.php\" target=\"_blank\"\u003ePhishTank\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.celerium.com/pickupstix\" target=\"_blank\"\u003ePickupSTIX\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n PickupSTIX is a feed of free, open-source, and non-commercialized cyber threat intelligence. Currently, PickupSTIX uses three public feeds and distributes about 100 new pieces of intelligence each day. PickupSTIX translates the various feeds into STIX, which can communicate with any TAXII server. The data is free to use and is a great way to begin using cyber threat intelligence.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://rescure.fruxlabs.com/\" target=\"_blank\"\u003eREScure Threat Intel Feed\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n [RES]cure is an independant threat intelligence project performed by the Fruxlabs Crack Team to enhance their understanding of the underlying architecture of distributed systems, the nature of threat intelligence and how to efficiently collect, store, consume and distribute threat intelligence. Feeds are generated every 6 hours.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://rstcloud.net/\" target=\"_blank\"\u003eRST Cloud Threat Intel Feed\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Aggregated Indicators of Compromise collected and cross-verified from multiple open and community-supported sources, enriched and ranked using our intelligence platform.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-86400\"\u003eRutgers Blacklisted IPs\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003eIP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://isc.sans.edu/suspicious_domains.html\" target=\"_blank\"\u003eSANS ICS Suspicious Domains\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Suspicious Domains Threat Lists by \u003ca href=\"https://isc.sans.edu/suspicious_domains.html\" target=\"_blank\"\u003eSANS ICS\u003c/a\u003e tracks suspicious domains. It offers 3 lists categorized as either \u003ca href=\"https://isc.sans.edu/feeds/suspiciousdomains_High.txt\" target=\"_blank\"\u003ehigh\u003c/a\u003e, \u003ca href=\"https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt\" target=\"_blank\"\u003emedium\u003c/a\u003e or \u003ca href=\"https://isc.sans.edu/feeds/suspiciousdomains_Low.txt\" target=\"_blank\"\u003elow\u003c/a\u003e sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an \u003ca href=\"https://isc.sans.edu/feeds/suspiciousdomains_whitelist_approved.txt\" target=\"_blank\"\u003eapproved whitelist\u003c/a\u003e of domains.\u003cbr/\u003e\n Finally, there is a suggested \u003ca href=\"https://isc.sans.edu/block.txt\" target=\"_blank\"\u003eIP blocklist\u003c/a\u003e from \u003ca href=\"https://dshield.org\"\u003eDShield\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/securityscorecard/SSC-Threat-Intel-IoCs\" target=\"_blank\"\u003eSecurityScorecard IoCs\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Public access IoCs from technical blogs posts and reports by SecurityScorecard.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.stixify.com/\" target=\"_blank\"\u003eStixify\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Your automated threat intelligence analyst. Extract machine readable intelligence from unstructured data.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Neo23x0/signature-base\" target=\"_blank\"\u003esignature-base\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A database of signatures used in other tools by Neo23x0.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.spamhaus.org/\" target=\"_blank\"\u003eThe Spamhaus project\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Spamhaus Project contains multiple threatlists associated with spam and malware activity.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.sophos.com/intelix\" target=\"_blank\"\u003eSophosLabs Intelix\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n SophosLabs Intelix is the threat intelligence platform that powers Sophos products and partners. You can access intelligence based on file hash, url etc. as well as submit samples for analysis. Through REST API's you can easily and quickly add this threat intelligence to your systems.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://spur.us\" target=\"_blank\"\u003eSpur\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Spur provides tools and data to detect VPNs, Residential Proxies, and Bots. Free plan allows users to lookup an IP and get its classification, VPN provider, popular geolocations behind the IP, and some more useful context.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://sslbl.abuse.ch/\" target=\"_blank\"\u003eSSL Blacklist\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of \"bad\" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://statvoo.com/dl/top-1million-sites.csv.zip\" target=\"_blank\"\u003eStatvoo Top 1 Million Sites\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Probable Whitelist of the top 1 million web sites, as ranked by Statvoo.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://strongarm.io\" target=\"_blank\"\u003eStrongarm, by Percipient Networks\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.siemrules.com\" target=\"_blank\"\u003eSIEM Rules\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Your detection engineering database. View, modify, and deploy SIEM rules for threat hunting and detection.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.talosintelligence.com/\" target=\"_blank\"\u003eTalos\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n\t Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools. Talos provides an easy to use web UI to check an \u003ca href=\"https://www.talosintelligence.com/reputation\"\u003eobservable's reputation\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://threatfeeds.io\" target=\"_blank\"\u003ethreatfeeds.io\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n threatfeeds.io lists free and open-source threat intelligence feeds and sources and provides direct download links and live summaries.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://threatfox.abuse.ch/\" target=\"_blank\"\u003ethreatfox.abuse.ch\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://threatconnect.com/blog/ingest-technical-blogs-reports/\" target=\"_blank\"\u003eTechnical Blogs and Reports, by ThreatConnect\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This source is being populated with the content from over 90 open source, security blogs. IOCs (\u003ca href=\"https://en.wikipedia.org/wiki/Indicator_of_compromise\" target=\"_blank\"\u003eIndicators of Compromise\u003c/a\u003e) are parsed out of each blog and the content of the blog is formatted in markdown.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://threatjammer.com\" target=\"_blank\"\u003eThreat Jammer\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Threat Jammer is a REST API service that allows developers, security engineers, and other IT professionals to access high-quality threat intelligence data from a variety of sources and integrate it into their applications with the sole purpose of detecting and blocking malicious activity.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.threatminer.org/\" target=\"_blank\"\u003eThreatMiner\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n ThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment.\n The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://raw.githubusercontent.com/WSTNPHX/scripts-n-tools/master/malware-email-addresses.txt\"\u003eWSTNPHX Malware Email Addresses\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003eEmail addresses used by malware collected by VVestron Phoronix (WSTNPHX)\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://portal.underattack.today/\" target=\"_blank\"\u003eUnderAttack.today\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003eUnderAttack is a free intelligence platform, it shares IPs and information about suspicious events and attacks. Registration is free.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://urlhaus.abuse.ch\"\u003eURLhaus\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003eURLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://virusshare.com/\" target=\"_blank\"\u003eVirusShare\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Yara-Rules/rules\" target=\"_blank\"\u003eYara-Rules\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n An open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://IOCFeed.mrlooquer.com/\" target=\"_blank\"\u003e1st Dual Stack Threat Feed by MrLooquer\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\nMrlooquer has created the first threat feed focused on systems with dual stack. Since IPv6 protocol has begun to be part of malware and fraud communications, It is necessary to detect and mitigate the threats in both protocols (IPv4 and IPv6).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://app.validin.com/\"\u003eValidin DNS Database\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Free intelligence source for current and historical DNS information, finding other websites associated with certain IPs, and subdomain knowledge There is a \u003ca href=\"https://app.validin.com/docs\"\u003efree API for IP and domain intelligence\u003c/a\u003e as well. \n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n\n## Formats\n\nStandardized formats for sharing Threat Intelligence (mostly IOCs).\n\n\u003ctable\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://capec.mitre.org/\" target=\"_blank\"\u003eCAPEC\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cyboxproject.github.io/\" target=\"_blank\"\u003eCybOX\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://tools.ietf.org/html/rfc5070\" target=\"_blank\"\u003eIODEF (RFC5070)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://tools.ietf.org/html/rfc4765\" target=\"_blank\"\u003eIDMEF (RFC4765)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n \u003ci\u003eExperimental\u003c/i\u003e - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://maecproject.github.io/\" target=\"_blank\"\u003eMAEC\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2\" target=\"_blank\"\u003eOpenC2\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://oasis-open.github.io/cti-documentation/\" target=\"_blank\"\u003eSTIX 2.0\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called \u003ci\u003etest mechanisms\u003c/i\u003e that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived \u003ca href=\"https://stixproject.github.io/\" target=\"_blank\"\u003ehere\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://taxiiproject.github.io/\" target=\"_blank\"\u003eTAXII\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://veriscommunity.net/index.html\" target=\"_blank\"\u003eVERIS\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (\u003ca target=\"_blank\" href=\"http://www.verizonenterprise.com/verizon-insights-lab/dbir/\"\u003eDBIR\u003c/a\u003e) and publishes this database online in a GitHub \u003ca target=\"_blank\" href=\"https://github.com/vz-risk/VCDB\"\u003erepository.org\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n\n## Frameworks and Platforms\n\nFrameworks, platforms and services for collecting, analyzing, creating and sharing Threat Intelligence.\n\n\u003ctable\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/abusesa/abusehelper\" target=\"_blank\"\u003eAbuseHelper\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://abuse.io/\" target=\"_blank\"\u003eAbuseIO\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A toolkit to receive, process, correlate and notify end users about abuse reports, thereby consuming threat intelligence feeds.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.cisa.gov/ais\" target=\"_blank\"\u003eAIS\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Cybersecurity and Infrastructure Security Agency (CISA) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/csirtgadgets/bearded-avenger\" target=\"_blank\"\u003eBearded Avenger\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The fastest way to consume threat intelligence. Successor to CIF.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://community.blueliv.com/\" target=\"_blank\"\u003eBlueliv Threat Exchange Network\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Allows participants to share threat indicators with the community.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/TheHive-Project/Cortex\" target=\"_blank\"\u003eCortex\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cortex allows observables, such as IPs, email addresses, URLs, domain names, files or hashes, to be analyzed one by one or in bulk mode using a single web interface. The web interface acts as a frontend for numerous analyzers, removing the need for integrating these yourself during analysis. Analysts can also use the Cortex REST API to automate parts of their analysis.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://crits.github.io/\" target=\"_blank\"\u003eCRITS\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://csirtgadgets.org/collective-intelligence-framework\" target=\"_blank\"\u003eCIF\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on \u003ca href=\"https://github.com/csirtgadgets/massive-octo-spice\" target=\"_blank\"\u003eGitHub\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cyware.com/ctix-stix-taxii-cyber-threat-intelligence-exchange\" target=\"_blank\"\u003eCTIX\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n CTIX is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.eclecticiq.com/platform\" target=\"_blank\"\u003eEclecticIQ Platform\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n EclecticIQ Platform is a STIX/TAXII based Threat Intelligence Platform (TIP) that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine-speed.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation\" target=\"_blank\"\u003eIntelMQ\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect \u0026 process threat intelligence thus improving the incident handling processes of CERTs.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/intelowlproject/IntelOwl/\" target=\"_blank\"\u003eIntelOwl\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools (\u003ca href=\"https://github.com/intelowlproject/pyintelowl\" target=\"_blank\"\u003epyintelowl\u003c/a\u003e) to automate common jobs usually performed, for instance, by SOC analysts manually.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.kaspersky.com/enterprise-security/threat-intelligence\" target=\"_blank\"\u003eKaspersky Threat Intelligence Portal\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A website that provides a knowledge base describing cyber threats, legitimate objects, and their relationships, brought together into a single web service. Subscribing to Kaspersky Lab’s Threat Intelligence Portal provides you with a single point of entry to four complementary services: Kaspersky Threat Data Feeds, Threat Intelligence Reporting, Kaspersky Threat Lookup and Kaspersky Research Sandbox, all available in human-readable and machine-readable formats.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/byt3smith/malstrom\" target=\"_blank\"\u003eMalstrom\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Note: Github project has been archived (no new contributions accepted).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/stratosphereips/Manati\" target=\"_blank\"\u003eManaTI\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://django-mantis.readthedocs.io/en/latest/\" target=\"_blank\"\u003eMANTIS\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is *not* ready for large-scale production though.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/cert-se/megatron-java\" target=\"_blank\"\u003eMegatron\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Megatron is a tool implemented by CERT-SE which collects and analyses bad IPs, can be used to calculate statistics, convert and analyze log files and in abuse \u0026 incident handling.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/PaloAltoNetworks/minemeld/wiki\" target=\"_blank\"\u003eMineMeld\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n An extensible Threat Intelligence processing framework created Palo Alto Networks.\n It can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third party enforcement infrastructure.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.misp-project.org/\" target=\"_blank\"\u003eMISP\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Malware Information Sharing Platform (MISP) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/CERT-Polska/n6\" target=\"_blank\"\u003en6\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by \u003ca href=\"https://www.cert.pl/en/\" target=\"_blank\"\u003eCERT Polska\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.opencti.io/en/\" target=\"_blank\"\u003eOpenCTI\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n OpenCTI, the Open Cyber Threat Intelligence platform, allows organizations to manage their cyber threat intelligence knowledge and observables. Its goal is to structure, store, organize and visualize technical and non-technical information about cyber threats. Data is structured around a knowledge schema based on the STIX2 standards. OpenCTI can be integrated with other tools and platforms, including MISP, TheHive, and MITRE ATT\u0026CK, a.o.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.fireeye.com/services/freeware.html\" target=\"_blank\"\u003eOpenIOC\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/EclecticIQ/OpenTAXII\" target=\"_blank\"\u003eOpenTAXII\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n OpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well designed application.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Ptr32Void/OSTrICa\" target=\"_blank\"\u003eOSTrICa\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n An open source plugin-oriented framework to collect and visualize Threat Intelligence information.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://otx.alienvault.com\" target=\"_blank\"\u003eOTX - Open Threat Exchange\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Lookingglass/opentpx/\" target=\"_blank\"\u003eOpen Threat Partner eXchange\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://community.riskiq.com/\" target=\"_blank\"\u003ePassiveTotal\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://pulsedive.com/\" target=\"_blank\"\u003ePulsedive\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Pulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists \"risk factors\" for why IOCs are higher risk; and provides a high level view of threats and threat activity.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.recordedfuture.com/\" target=\"_blank\"\u003eRecorded Future\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Netflix/Scumblr\" target=\"_blank\"\u003eScumblr\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results.\n Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.anomali.com/platform/staxx\" target=\"_blank\"\u003eSTAXX (Anomali)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest.\n \u003c/td\u003e\n \u003c/tr\u003e \n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://stoq.punchcyber.com/\" target=\"_blank\"\u003estoQ\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with.\n One use case is the extraction of IOCs from documents, an example of which is shown \u003ca href=\"https://stoq-framework.blogspot.nl/2016/04/operationalizing-indicators.html\" target=\"_blank\"\u003ehere\u003c/a\u003e, but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/tripwire/tardis\" target=\"_blank\"\u003eTARDIS\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.threatconnect.com/\" target=\"_blank\"\u003eThreatConnect\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.threatcrowd.org/\" target=\"_blank\"\u003eThreatCrowd\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n ThreatCrowd is a system for finding and researching artefacts relating to cyber threats.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.threatpipes.com\" target=\"_blank\"\u003eThreatPipes\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Stay two steps ahead of your adversaries. Get a complete picture of how they will exploit you.\n \u003cbr /\u003e\n ThreatPipes is a reconnaissance tool that automatically queries 100’s of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.\n \u003cbr /\u003e\n You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://developers.facebook.com/docs/threat-exchange/\" target=\"_blank\"\u003eThreatExchange\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in \u003cb\u003ebeta\u003c/b\u003e. Reference code can be found at \u003ca href=\"https://github.com/facebook/ThreatExchange\" target=\"_blank\"\u003eGitHub\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/typedb-osi/typedb-cti\" target=\"_blank\"\u003eTypeDB CTI\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n\t\tTypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together their disparate CTI information into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT\u0026CK as an example dataset to start exploring this threat intelligence platform. More in this \u003ca href=\"https://blog.vaticle.com/introducing-a-knowledge-graph-for-cyber-threat-intelligence-with-typedb-bdb559a92d2a\" target=\"_blank\"\u003eblog post\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://beta.virusbay.io/\" target=\"_blank\"\u003eVirusBay\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/brianwarehime/threatnote\" target=\"_blank\"\u003ethreatnote.io\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The new and improved threatnote.io - A tool for CTI analysts and teams to manage intel requirements, reporting, and CTI processes in an all-in-one platform\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://exchange.xforce.ibmcloud.com/\" target=\"_blank\"\u003eXFE - X-Force Exchange\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://yeti-platform.github.io/\" target=\"_blank\"\u003eYeti\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n\n\n\n## Tools\n\nAll kinds of tools for parsing, creating and editing Threat Intelligence. Mostly IOC based.\n\n\u003ctable\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/jalewis/actortrackr\" target=\"_blank\"\u003eActorTrackr\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on \u003ca href=\"https://github.com/jalewis/actortrackr\" target=\"_blank\"\u003eGitHub\u003c/a\u003e.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://bitbucket.org/camp0/aiengine\" target=\"_blank\"\u003eAIEngine\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/referefref/aiocrioc\" target=\"_blank\"\u003eAIOCRIOC\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Artificial Intelligence Ocular Character Recognition Indicator of Compromise (AIOCRIOC) is a tool that combines web scraping, the OCR capabilities of Tesseract and OpenAI compatible LLM API's such as GPT-4 to parse and extract IOCs from reports and other web content including embedded images with contextual data.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://analyze.intezer.com\" target=\"_blank\"\u003eAnalyze (Intezer)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Analyze is an all-in-one malware analysis platform that is able to perform static, dynamic, and genetic code analysis on all types of files. Users can track malware families, extract IOCs/MITRE TTPs, and download YARA signatures. There is a community edition to get started for free.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/1aN0rmus/TekDefense-Automater\" target=\"_blank\"\u003eAutomater\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/svdwi/BlueBox\" target=\"_blank\"\u003eBlueBox\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n BlueBox is an OSINT solution to get threat intelligence data about a specific file, an IP, a domain or URL and analyze them.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://botscout.com/\"\u003eBotScout\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n BotScout helps prevent automated web scripts, known as \"bots\", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/exp0se/bro-intel-generator\" target=\"_blank\"\u003ebro-intel-generator\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Script for generating Bro intel files from pdf or html reports.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/EclecticIQ/cabby\" target=\"_blank\"\u003ecabby\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A simple Python library for interacting with TAXII servers.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/sroberts/cacador\" target=\"_blank\"\u003ecacador\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cacador is a tool written in Go for extracting common indicators of compromise from a block of text.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/mlsecproject/combine\" target=\"_blank\"\u003eCombine\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Combine gathers Threat Intelligence Feeds from publicly available sources.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/CrowdStrike/CrowdFMS\" target=\"_blank\"\u003eCrowdFMS\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system.\n The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cybergordon.com/\" target=\"_blank\"\u003eCyberGordon\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n CyberGordon is a threat intelligence search engine. It leverages 30+ sources.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/CylanceSPEAR/CyBot\" target=\"_blank\"\u003eCyBot\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n CyBot is a threat intelligence chat bot. It can perform several types of lookups offered by custom modules.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/cuckoosandbox/cuckoo\" target=\"_blank\"\u003eCuckoo Sandbox\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cuckoo Sandbox is an automated dynamic malware analysis system. It's the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat intelligence teams all around the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Neo23x0/Fenrir\" target=\"_blank\"\u003eFenrir\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Simple Bash IOC Scanner.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/spacepatcher/FireHOL-IP-Aggregator\" target=\"_blank\"\u003eFireHOL IP Aggregator\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Application for keeping feeds from FireHOL \u003ca href=\"https://github.com/firehol/blocklist-ipsets\" target=\"_blank\"\u003eblocklist-ipsets\u003c/a\u003e with IP addresses appearance history. HTTP-based API service is developed for search requests.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/byt3smith/Forager\" target=\"_blank\"\u003eForager\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Multithreaded threat intelligence hunter-gatherer script.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.gigasheet.co\" target=\"_blank\"\u003eGigasheet\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Gigasheet is a SaaS product used to analyze massive, and disparate cybersecurity data sets. Import massive log files, netflow, pcaps, big CSVs and more.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/BinaryDefense/goatrider\" target=\"_blank\"\u003eGoatRider\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc\" target=\"_blank\"\u003eGoogle APT Search Engine\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on \u003ca href=\"https://gist.github.com/Neo23x0/c4f40629342769ad0a8f3980942e21d3\" target=\"_blank\"\u003ethis\u003c/a\u003e GitHub gist.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/ciscocsirt/gosint\" target=\"_blank\"\u003eGOSINT\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The GOSINT framework is a free project used for collecting, processing, and exporting high quality public indicators of compromise (IOCs).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://hashdd.com/\" target=\"_blank\"\u003ehashdd\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A tool to lookup related information from crytographic hash value\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/exp0se/harbinger\" target=\"_blank\"\u003eHarbinger Threat Intelligence\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Python script that allows to query multiple online threat aggregators from a single interface.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/TheHive-Project/Hippocampe\" target=\"_blank\"\u003eHippocampe\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Hippocampe aggregates threat feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its 'memory'. It is based on a Python script which fetchs URLs corresponding to feeds, parses and indexes them.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/S03D4-164/Hiryu\" target=\"_blank\"\u003eHiryu\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A tool to organize APT campaign information and to visualize relations between IOCs.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.fireeye.com/services/freeware/ioc-editor.html\" target=\"_blank\"\u003eIOC Editor\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A free editor for Indicators of Compromise (IOCs).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/fhightower/ioc-finder\" target=\"_blank\"\u003eIOC Finder\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Python library for finding indicators of compromise in text. Uses grammars rather than regexes for improved comprehensibility. As of February, 2019, it parses over 18 indicator types.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/ioc-fang/ioc_fanger\" target=\"_blank\"\u003eIOC Fanger (and Defanger)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Python library for fanging (`hXXp://example[.]com` =\u003e `http://example.com`) and defanging (`http://example.com` =\u003e `hXXp://example[.]com`) indicators of compromise in text.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/armbues/ioc_parser\" target=\"_blank\"\u003eioc_parser\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Tool to extract indicators of compromise from security reports in PDF format.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/mandiant/ioc_writer\" target=\"_blank\"\u003eioc_writer\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Provides a Python library that allows for basic creation and editing of OpenIOC objects.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/InQuest/python-iocextract\" target=\"_blank\"\u003eiocextract\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. Includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/stephenbrannon/IOCextractor\" target=\"_blank\"\u003eIOCextractor\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n IOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/johestephan/ibmxforceex.checker.py\" target=\"_blank\"\u003eibmxforceex.checker.py\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Python client for the IBM X-Force Exchange.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/sroberts/jager\" target=\"_blank\"\u003ejager\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://support.kaspersky.com/13850\" target=\"_blank\"\u003eKaspersky CyberTrace\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/KasperskyLab/klara\" target=\"_blank\"\u003eKLara\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n KLara, a distributed system written in Python, allows researchers to scan one or more Yara rules over collections with samples, getting notifications by e-mail as well as the web interface when scan results are ready.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/TAXIIProject/libtaxii\" target=\"_blank\"\u003elibtaxii\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A Python library for handling TAXII Messages invoking TAXII Services.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Neo23x0/Loki\" target=\"_blank\"\u003eLoki\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Simple IOC and Incident Response Scanner.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://bitbucket.org/ssanthosh243/ip-lookup-docker\" target=\"_blank\"\u003eLookUp\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n LookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/HurricaneLabs/machinae\" target=\"_blank\"\u003eMachinae\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/silascutler/MalPipe\" target=\"_blank\"\u003eMalPipe\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Amodular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/MISP/misp-workbench\" target=\"_blank\"\u003eMISP Workbench\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Tools to export data out of the MISP MySQL database and use and abuse them outside of this platform.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/MISP/MISP-Taxii-Server\" target=\"_blank\"\u003eMISP-Taxii-Server\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A set of configuration files to use with EclecticIQ's OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server's inbox.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/microsoft/msticpy\" target=\"_blank\"\u003eMSTIC Jupyter and Python Security Tools\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. \n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/paulpc/nyx\" target=\"_blank\"\u003enyx\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derived from both open source and commercial tools.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/fhightower/onemillion\" target=\"_blank\"\u003eOneMillion\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Python library to determine if a domain is in the Alexa or Cisco top, one million domain lists.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/STIXProject/openioc-to-stix\" target=\"_blank\"\u003eopenioc-to-stix\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Generate STIX XML from OpenIOC XML.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/InQuest/omnibus\" target=\"_blank\"\u003eOmnibus\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Omnibus is an interactive command line application for collecting and managing IOCs/artifacts (IPs, Domains, Email Addresses, Usernames, and Bitcoin Addresses), enriching these artifacts with OSINT data from public sources, and providing the means to store and access these artifacts in a simple way.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/kx499/ostip/wiki\" target=\"_blank\"\u003eOSTIP\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A homebrew threat data platform.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/mgeide/poortego\" target=\"_blank\"\u003epoortego\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Open-source project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). Originally developed in ruby, but new codebase completely rewritten in python.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/yahoo/PyIOCe\" target=\"_blank\"\u003ePyIOCe\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n PyIOCe is an IOC editor written in Python.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/QTek/QRadio\" target=\"_blank\"\u003eQRadio\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n QRadio is a tool/framework designed to consolidate cyber threats intelligence sources.\n The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/aboutsecurity/rastrea2r\" target=\"_blank\"\u003erastrea2r\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Collecting \u0026 Hunting for Indicators of Compromise (IOC) with gusto and style!\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.fireeye.com/services/freeware/redline.html\" target=\"_blank\"\u003eRedline\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A host investigations tool that can be used for, amongst others, IOC analysis.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/ocmdev/rita\" target=\"_blank\"\u003eRITA\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Real Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying size.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/spacepatcher/softrace\" target=\"_blank\"\u003eSoftrace\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Lightweight National Software Reference Library RDS storage.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/0x4d31/sqhunter\" target=\"_blank\"\u003esqhunter\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Threat hunter based on osquery, Salt Open and Cymon API. It can query open network sockets and check them against threat intelligence sources\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/SecurityRiskAdvisors/sra-taxii2-server\" target=\"_blank\"\u003eSRA TAXII2 Server\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Full TAXII 2.0 specification server implemented in Node JS with MongoDB backend.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://stixvalidator.com\" target=\"_blank\"\u003eStixvalidator.com\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Stixvalidator.com is an online free STIX and STIX2 validator service.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/traut/stixview\" target=\"_blank\"\u003eStixview\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Stixview is a JS library for embeddable interactive STIX2 graphs.\n \u003c/td\u003e\n \u003c/tr\u003e\n\t\u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/STIXProject/stix-viz\" target=\"_blank\"\u003estix-viz\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n STIX Visualization Tool.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://test.taxiistand.com/\" target=\"_blank\"\u003eTAXII Test Server\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/jpsenior/threataggregator\" target=\"_blank\"\u003ethreataggregator\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n ThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort and IPTables rules.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/jheise/threatcrowd_api\" target=\"_blank\"\u003ethreatcrowd_api\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Python Library for ThreatCrowd's API.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/jheise/threatcmd\" target=\"_blank\"\u003ethreatcmd\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Cli interface to ThreatCrowd.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/syphon1c/Threatelligence\" target=\"_blank\"\u003eThreatelligence\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/InQuest/ThreatIngestor\" target=\"_blank\"\u003eThreatIngestor\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Flexible, configuration-driven, extensible framework for consuming threat intelligence. ThreatIngestor can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and send that information to other systems for analysis.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://chrome.google.com/webstore/detail/threatpinch-lookup/ljdgplocfnmnofbhpkjclbefmjoikgke\" target=\"_blank\"\u003eThreatPinch Lookup\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n An extension for Chrome that creates hover popups on every page for IPv4, MD5, SHA2, and CVEs. It can be used for lookups during threat investigations.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/michael-yip/ThreatTracker\" target=\"_blank\"\u003eThreatTracker\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/Yelp/threat_intel\" target=\"_blank\"\u003ethreat_intel\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Several APIs for Threat Intelligence integrated in a single package. Included are: OpenDNS Investigate, VirusTotal and ShadowServer.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/abhinavbom/Threat-Intelligence-Hunter\" target=\"_blank\"\u003eThreat-Intelligence-Hunter\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own local database of indicators.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/mlsecproject/tiq-test\" target=\"_blank\"\u003etiq-test\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/TAXIIProject/yeti\" target=\"_blank\"\u003eYETI\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n YETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll and Discovery services defined by the TAXII Services Specification.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n\n\n\n## \u003ca name=\"research\"\u003e\u003c/a\u003eResearch, Standards \u0026 Books\n\nAll kinds of reading material about Threat Intelligence. Includes (scientific) research and whitepapers.\n\n\u003ctable\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections\" target=\"_blank\"\u003eAPT \u0026 Cyber Criminal Campaign Collection\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Extensive collection of (historic) campaigns. Entries come from various sources.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/kbandla/APTnotes\" target=\"_blank\"\u003eAPTnotes\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A great collection of sources regarding \u003ci\u003eAdvanced Persistent Threats\u003c/i\u003e (APTs). These reports usually include strategic and tactical knowledge or advice.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://attack.mitre.org/\" target=\"_blank\"\u003eATT\u0026CK\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT\u0026CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/\" target=\"_blank\"\u003eBuilding Threat Hunting Strategies with the Diamond Model\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Blogpost by Sergio Caltagirone on how to develop intelligent threat hunting strategies by using the Diamond Model.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://car.mitre.org/wiki/Main_Page\" target=\"_blank\"\u003eCyber Analytics Repository by MITRE\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT\u0026CK™) threat model.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cti-cmm.org/\" target=\"_blank\"\u003eCyber Threat Intelligence Capability Maturity Model (CTI-CMM)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A new \u003ca href=\"https://cti-cmm.org/\" target=\"_blank\"\u003eCyber Threat Intelligence Capability Maturity Model (CTI-CMM)\u003c/a\u003e using a stakeholder-first approach and aligned with the \u003ca href=\"https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2\" target=\"_blank\"\u003eCybersecurity Capability Maturity Model (C2M2)\u003c/a\u003e to empower your team and create lasting value.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://github.com/mitre/cti\" target=\"_blank\"\u003eCyber Threat Intelligence Repository by MITRE\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Cyber Threat Intelligence Repository of ATT\u0026CK and CAPEC catalogs expressed in STIX 2.0 JSON.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.tandfonline.com/doi/full/10.1080/08850607.2020.1780062\" target=\"_blank\"\u003eCyber Threat Intelligence: A Product Without a Process?\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A research paper describing how current cyber threat intelligence products fall short and how they can be improved by introducing and evaluating sound methodologies and processes.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://cryptome.org/2015/09/cti-guide.pdf\" target=\"_blank\"\u003eDefinitive Guide to Cyber Threat Intelligence\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical \u003ci\u003efor Dummies\u003c/i\u003e style.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://ryanstillions.blogspot.nl/2014/04/the-dml-model_21.html\" target=\"_blank\"\u003eThe Detection Maturity Level (DML)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The DML model is a capability maturity model for referencing ones maturity in detecting cyber attacks.\n It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program.\n The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/diamond.pdf\" target=\"_blank\"\u003eThe Diamond Model of Intrusion Analysis\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/a547092.pdf\" target=\"_blank\"\u003eThe Targeting Process: D3A and F3EAD\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n F3EAD is a military methodology for combining operations and intelligence.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/NIST.SP.800-150.pdf\" target=\"_blank\"\u003eGuide to Cyber Threat Information Sharing by NIST\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities, and protecting incident-related data.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/Intelligence Preparation for the Battlefield-Battlespace.pdf\" target=\"_blank\"\u003eIntelligence Preparation of the Battlefield/Battlespace\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as integrating processes and continuing activities.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf\" target=\"_blank\"\u003eIntelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The intrusion kill chain as presented in this paper provides one with a structured approach to intrusion analysis, indicator extraction and performing defensive actions.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.isao.org\" target=\"_blank\"\u003eISAO Standards Organization\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The ISAO Standards Organization is a non-governmental organization established on October 1, 2015. Its mission is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing related to cybersecurity risks, incidents, and best practices.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/jp2_0.pdf\" target=\"_blank\"\u003eJoint Publication 2-0: Joint Intelligence\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://download.microsoft.com/download/8/0/1/801358EC-2A0A-4675-A2E7-96C2E7B93E73/Framework_for_Cybersecurity_Info_Sharing.pdf\" target=\"_blank\"\u003eMicrosoft Research Paper\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A framework for cybersecurity information sharing and risk reduction. A high level overview paper by Microsoft.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://tools.ietf.org/html/draft-dulaunoy-misp-core-format-00\" target=\"_blank\"\u003eMISP Core Format (draft)\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.necoma-project.eu/\" target=\"_blank\"\u003eNECOMA Project\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) research project is aimed at improving threat data collection and analysis to develop and demonstratie new cyberdefense mechanisms.\n As part of the project several publications and software projects have been published.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/pyramidofpain.pdf\" target=\"_blank\"\u003ePyramid of Pain\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511\" target=\"_blank\"\u003eStructured Analytic Techniques For Intelligence Analysis\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"./docs/mwr-threat-intelligence-whitepaper.pdf\" target=\"_blank\"\u003eThreat Intelligence: Collecting, Analysing, Evaluating\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://aisel.aisnet.org/wi2017/track08/paper/3/\" target=\"_blank\"\u003eThreat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfacing eight key findings about the current state of threat intelligence usage, its definition and TISPs.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://www.us-cert.gov/tlp\" target=\"_blank\"\u003eTraffic Light Protocol\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s).\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"https://pan-unit42.github.io/playbook_viewer/\" target=\"_blank\"\u003eUnit42 Playbook Viewer\u003c/a\u003e\n \u003c/td\u003e \n \u003ctd\u003e\n The goal of the Playbook is to organize the tools, techniques, and procedures that an adversary uses into a structured format, which can be shared with others, and built upon. The frameworks used to structure and share the adversary playbooks are MITRE's ATT\u0026CK Framework and STIX 2.0\n \u003c/td\u003e \n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"docs/sans-whos-using-cyberthreat-intelligence-and-how.pdf\" target=\"_blank\"\u003eWho's Using Cyberthreat Intelligence and How?\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n A whitepaper by the SANS Institute describing the usage of Threat Intelligence including a survey that was performed.\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\n \u003ca href=\"http://www.wombat-project.eu/\" target=\"_blank\"\u003eWOMBAT Project\u003c/a\u003e\n \u003c/td\u003e\n \u003ctd\u003e\n The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n\n\n\n## License\n\nLicensed under [Apache License 2.0](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhslatman%2Fawesome-threat-intelligence","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhslatman%2Fawesome-threat-intelligence","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhslatman%2Fawesome-threat-intelligence/lists"}