Data for Investigation

This dataset, from abuse.ch, provides metadata on URLs used for malware distribution. Sourced from an expansive community of expert researchers, it highlights and provides details on various internet entities—URLs, domains, IPv4 addresses, DNS names, and hashes.

Support the identification and exploration of malicious URLs and domains to help understand connections and the underlying malware. Find the technical documentation here.

Some of the values you’ll gain visibility of are the following:

Tags: typically associated with every entry, tags will return details such as activity type, associated malware family, payload file type etc.

Online/offline: with URLs frequently re-evaluated, understand if malicious endpoint is still reachable or not.

Payload details: pivot from payloads to other entities such as md5 and sha256 Hashes, Host, Signature, URLs, Tags, and Reporter Details.

Reporter: as you analyze, you can uncover if there are trend in the reporter sharing the intelligence, to pay particular attention to their insight.

Passive DNS data is collected with special probes activated on a DNS resolver. The probes record anonymized data every time a DNS resolver is unable to return a domain name from its caches and sends a recursive request to another name server (cache miss). Find out more in our beginner’s guide to Passive DNS.

Spamhaus data is collected through numerous recursive DNS servers from around the globe. A broad network of service providers and a community of security researchers who are dedicated to combatting DNS abuse share this data for the good of the internet.

Researchers at The Spamhaus Project utilize Passive DNS data daily in their research and threat hunting.

The following records can be queried in Spamhaus’ Passive DNS data: IP, HOSTDOM, HOST, NS, DOMAIN, DOMSEARCH, MXD, MX, CNAME & HOST. The “last seen” UNIX time stamp is included with each record.

You can access this data via an API, or via a continuous data feed for inclusion into third-party security products. Sign up for a free trial here. 

This dataset lists IP addresses belonging to devices that are showing signs of compromise. This can include traffic from the Internet of Things (IoT) devices alongside more traditional email spam. Potential reasons for our research team to list IPs on the XBL include:

• Malware infections
• Trojan infections
• Worm infections
• Devices controlled by botnets command and controllers (C&Cs)
• Third-party exploits, such as open proxies.

Metadata in the eXBL includes; timestamp of the last connection, the botnet’s name controlling infected nodes, the IP address and port number of the command and control server for some connections, the countries where compromised devices are located, and the type of malware used to exploit devices.

This data is available via the Spamhaus Intelligence API (SIA) to enable easy integration with SIEMs and SOCs, along with other security and reporting applications.

Developers can get limited free access via our Developer License, or access an unlimited free 30 day trial here.

This dataset only contains single IPv4 addresses* used to host botnet command and controller servers (C&Cs). These botnet C&Cs are used by cybercriminals to control infected computers (bots).

No inbound or outbound network connections should be made to these IP addresses under any circumstances.

Metadata in the BCL includes; the bot name associated with the detected activity, the destination port of the traffic that triggered the detection or where the identified C&C service has been observed running, and an array providing information about the binary files observed referring to the specific C&C instance.

This data is available via the Spamhaus Intelligence API (SIA) to enable easy integration with SIEMs and SOCs, along with other security and reporting applications.

Developers can get limited free access via our Developer License, or access an unlimited free 30 day trial here.

This dataset provides valuable signal relating to every domain Spamhaus researchers observe. Enhance existing data sources or consume this data directly for customer vetting, vulnerability management, investigation, reporting and detection.

Actionable metadata relating to each domain is provided via various API calls through the Spamhaus Intelligence API, including: General domain information; Reputation dimensions; Domain Contexts; Domain listing data; Domain senders data; Nameserver reputation; A Records reputation; Clusters; Hostnames listed; Malware.

For more information on each API call, read our technical documentation here.

Developers can get limited free access via our Developer License, or access an unlimited free 30 day trial here.

This dataset only focuses on SMTP traffic i.e. port-25 based detections.  The IPs listed include low-reputation sources, including spam. Triggers for listing on the CSS include:

• Sending bulk unsolicited email
• Having poor email marketing list hygiene
• Sending out malicious emails due to compromised accounts, webforms or content management systems (CMS).

Metadata in the CSS dataset includes; timestamp of the first seen date and last connection, the HELO string used in the SMTP session triggering the detection, and the geolocation of the IP address.

This data is available via the Spamhaus Intelligence API (SIA) to enable easy integration with SIEMs and SOCs, along with other security and reporting applications.

Developers can get limited free access via our Developer License, or access an unlimited free 30 day trial here.