RST IoC Lookup logo main blue

Get actionable insights for swift decision-making

RST IoC Lookup offers access to comprehensive enrichment data for individual IoC through a single API, providing a wealth of relevant environment and historical information from our aggregated database, which boasts over millions of IoCs.

Key Benefits

activity 1

Enriched contextual information for each IoC, featuring attribution to threats and APT groups, TTPs. related indicators, CVEs and much more.

Dimond_alt_duotone

Comprehensive individual Risk Score for each IoC, calculated using multiple criteria and harmonised with historical score metrics.

Chield_check_duotone_line

Enhanced filtering engine to decrease IoC False Positive rate.

260+

TI Sources

80+ mln

aggreagated indicators

7k+

unique threats tracked

35+

malware categories

0-100

scoring model

more than 9 mln

unique IoCs each year

RST IoC Lookup covers multiple IoCs types to detect and prevent all sorts of cyber attacks

Description Benefits
List of IP Addresses that are known to be used by cyber criminals (for example, C2 servers) Gives undestanding if your networks are hacked already or not, detects participations of your assets in botnets, etc
A list of malicious Domains that are known to be used by cyber criminals (for example, phishing domains) Used to detect or prevent phishing, malware, data exfiltration, ransomware
A list of malicious URLs that are known to be used by cyber criminals (for example, phishing URLs, URLs with malicious downolads) Detect or prevent actions to download malicious content or visit phishing resources
List of malware files hashes (MD5, SHA1, SHA256) Detect and prevent Ransomware, Trojans, Spyware, Keyloggers, RAT etc

RST IoC Lookup is a comprehensive and reliable source of information about cyber threats. Our threat intelligence platform collects data from a variety of sources, normalises it, filters out irrelevant information, enriches it with additional context, and assigns a threat score to each piece of data. This allows our customers to quickly and easily access the most relevant and accurate information about potential cyber threats.

The RST IoC Lookup API grants you access to comprehensive information on individual IoCs (IP, Domain, URL, Hash). Whether the IoC is a part of the current threat feed or already in a historical status, our API ensures you retrieve details swiftly from the historical database aggregated by the powerful RST Cloud engine with relevant enrichment details. Gain insights beyond the limitations, empowering your threat intelligence with a wealth of data.

What makes us different

tag cloud
More than 80 million indicators in the aggregated database
  • IoC and threat name normalisation, filtering of "known-good" and false positives
  • IoCs are normalised and stored in a unified format (cleared masking, etc.).
  • all threat and APT group names are standardised, regardless of different aliases used by different researchers
  • noise is filtered (MS Updates, CDPs, well-known IPs, etc.)
Full content enrichment
  • each IoC is enriched with full context information, and all context data fields are parsed and normalised
  • numerous additional enrichment mechanisms, including current network status, related IoCs, CVEs, etc
  • dedicated RST Whois API used for domain data enrichement
Categorisation and scoring
  • more than 20 malware categories, including ransomware, phishing, RAT, fraud, scam, botnet and etc
  • industry, software, GEO tagging and more
  • related indicators, TTPs, and CVEs
  • attribution to threats and APT groups
  • ASN (Org, Number of domains registered) and URL verification
  • individual daily risk score for each IoC
  • references to the sources and related indicators
Easy to deploy and use
  • ready-to-use API for integration with popular TIP/SOAR solutions
  • get real-time response through the RST IoC Lookup API

Install RST browser extension for Google Chrome to quickly search for Indicators of Compromise (IoCs) using RST IoC Lookup and retrieve WHOIS information for domains using RST Whois API.

Simply select any text on a webpage that represents a URL, domain, IP, or Hash, right-click, and choose the "RST IoC Lookup" option from the context menu to perform a lookup. It helps you identify potential threats and provides valuable information about IoCs, including attribution to malware family, threat actors, descriptions, tags, risk score, WHOIS, and references.

The IoC database is also accessible for free using our website. However, to use the data in automated way we reccmmend integrating your SOAR, TIP, and other solutions with the APIs. Please keep in mind, that Online IoC Lookup tool has limitations:

  • The number of requests is limited 
  • Not all context is shown: limited enrichment fields in comparison with RST IoC Lookup commercial API (no TTP, environment data, etc)

Integration

We provide quick and easy out-of-the-box integration with many SIEM, SOAR, TIP, EDR, XDR, NGFW, and WAF solutions. The knowledge we produce is actionable to the extent that machines can facilitate end-to-end detection, prevention, and response.

FortiGate

Fortigate firewalls can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

Palo Alto NGFW

Palo Alto NGFW can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

IBM Qradar SIEM solution

RST Thread Feed integrated with IBM Qradar SIEM via RST Downloder agent. This agent automatically downloads all the required data and pushes it to the SIEM via API. There are options to filter indicators through its score and types, malware, tags etc

Palo Alto Cortex XSOAR

Palo Alto Cortex XSOAR can directly be integrated with RST Threat Feed via API. It gives an ability to query RST Cloud API directly from any playbook or using the war room commands.

Splunk Enterprise

RST Thread Feed integrated with Splunk. The app is published on the official Splunk marketplace and allows to automate downloading and maintenance of the feeds into Splunk.

Microsoft Sentinel

RST Thread Feed is integrated with Microsoft Sentinel SIEM via a standard STIX/TAXII integration. There are options to filter indicators through its score and types, malware, tags etc

Elastic SIEM

RST Thread Feed is integrated with Elastic SIEM solution via a custom elastic filebeat/agent configuration. There are options to filter indicators through its score and types, malware, tags etc

MISP

RST Thread Feed is integrated with MISP via a python script. There are options to filter indicators through its score and types, malware, tags etc

ArcSight ESM/Logger SIEM solution

RST Thread Feed is integrated with Arcsight ESM/Logger solutions via RST Downloder agent. There are options to filter indicators through its score and types, malware, tags etc

OpenCTI

RST Thread Feed is natively integrated with OpenCTI via API.

Cisco Firepower

Cisco Firepower can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

SAF Systems

SAF Systems is a versatile platform for collecting and analysing machine data. It works in the fields of information securityIT infrastructure monitoring, and business process analysis. The integration of RST Threat Feed and RST Report Hub within the SAF platform empowers analysts to make informed decisions.

Need more details?

Download the datasheet or follow the link below.

RST IoC Lookup Data Structure

IP Addresses

{
  "ip": {
    "v4": "14.33.133.188",  - type | value
    "num": "237077948"      - value as Integer (comparison can be faster)
  },
  "fseen": 1569715200,      - first seen timestamp
  "lseen": 1569801600,      - last seen timestamp
  "collect": 1571184000,    - indicator collection timestamp
  "tags": {                 - tags in order to categorize indicators
    "str": [
      "shellprobe",
      "generic",
      "botnet"
    ],
    "codes": [0,11,4]       - IDs of the tags
                              (to be used to minimize memory usage in SIEM)
  },
  "asn": {
    "num": 4766,            - An autonomous system number related to the indicator
    "firstip": {
      "netv4": "14.32.0.0", - The first address in that ASN
      "num": "236978176"    - The first address as an Integer
    },
    "lastip": {
      "netv4": "14.33.166.39", - The last address in that ASN
      "num": "237086247"       - The last address as an Integer
    },
    "cloud": "",               - is this ASN related to a well-known cloud provider
    "domains": 480010,         - a number of domain names registered in that ASN
    "org": "Korea Telecom",    - organization
    "isp": "KIXSASKR"          - provider
  },
  "geo": {                     - geo data
    "city": "Suwon",
    "country": "South Korea",
    "region": "Gyeonggido"
  },
  "related": {
    "domains": ["8d60f888.ngrok.io"]  - any related domains from our threat lists that use that IP
  },
  "score": {                   - scoring
    "total": 66,               - total score (High risk - score 55 or higher)
                                 
    "src": 81.94,              - weight by source:
                                 how important that sources were according to our algorithm
                                 
    "tags": 0.83,              - coefficient of tags:
                                 how important the categories of the indicator (malware or spam, etc)
                                 
    "frequency": 0.98          - coefficient of frequency:
                                 how often we have seen that indicator before
  },
  "fp": {                      - false positive suggestions
    "alarm": "false",          - is it a false positive alarm: false/true
    "descr": ""                - if alarm == true, the descr contains description
                                 why it was assumed as FP
  },
  "threat": {"malware_name1",  - contains related threat names
            "malware_name2"}
}
Domains
URLs
Hashes