Key Benefits
Easy operationalisation and integration with security tools!
Rich contextual information. Lots of data from various sources, including social networks, TI reports, online sandboxes, honeypot networks.
Designed for SOC and SecOps: improved TP/FP rate for optimal real-time detection and prevention at scale.
260+
TI Sources
250K/day
unique indicators
7K+
unique threats tracked
35+
threat categories
0-100
scoring model
STIX 2.1
and other formats
RST Threat Feed covers multiple use cases to detect and prevent all sorts of cyber attacks
Description | Benefits | |
---|---|---|
IP Address Reputation | List of IP Addresses that are known to be used by cyber criminals (for example, C2 servers) | Find malicious connections, exfiltration attemps, get an undestanding if your networks are hacked already or not, detect participations of your assets in botnets, etc. Block threats on a firewall or WAF |
Malicious Domains | A list of malicious Domains | Used to detect or prevent phishing, malware, data exfiltration, ransomware |
Malicious URL | A list of malicious URLs | Detect or prevent actions to download malicious content or visit phishing resources |
Malware File Hashes | List of malware files hashes (MD5, SHA1, SHA256) | Detect and prevent Ransomware, Trojans, Spyware, Keyloggers, RAT etc. |
RST Threat Feed is a comprehensive and reliable source of information about cyber threats. Our threat intelligence platform collects data from a variety of sources (incl. RST C2 Tracker, RST Honeypot Network), normalises it, filters out irrelevant information, enriches it with additional context, and assigns a threat score to each piece of data. This allows our customers to quickly and easily access the most relevant and accurate information about potential cyber threats.
It is actionable threat intelligence that enables security operations. Our threat intelligence data is available through an API and has many pre-built integrations with popular security information and event management (SIEM), security orchestration, automation, and response (SOAR), next-generation firewall (NGFW), and threat intelligence platform (TIP) systems. This makes it easy for our customers to incorporate our threat intelligence data into their existing security infrastructure and workflows.
What makes us different
IoC normalisation, filtering and standardisation when collecting indicators
- data is normalised and is stored in one format
- all malware names are unified
- noise is filtered (MS Updates, CDPs, Well-known IPs, etc.)
Content enrichment
- all context data is parsed and normalised
- lots of additional enrichment mechanisms
- dedicated Whois API for domain data
Content and categorisation
- more than 35 threat categories
- Industry Tagging
- 250k+ unique indictors per day
- Related indicators and CVEs
- ASN (Org, Number of domains registered) and URL verification
- References to the sources and related indicators
Easy to use
- different integration options: Full database dump, STIX 2.1/ TAXII, API Lookup access, WHOIS API, special NGFW APIs
- Ready-to-use integration with popular SIEM/TIP/SOAR solutions
- a specialised download agent for smoothness integration
- out-of-the-box API for popular NGFW solutions
Free Trial | Lookup API | RST NGFW | RST Threat Feed | |
---|---|---|---|---|
IP/Domain/URL IoCs | ||||
HASH MD5/SHA1/SHA256 | ||||
Full dump every 24 hours | ||||
Lookup via API | ||||
IoC filtering and normalisation | ||||
IoC scoring | ||||
IoC categorisation | ||||
IoC enrichment | ||||
SIEM/SOAR/TIP Integration | ||||
NGFW Integration | ||||
Get Trial | Contact us | Contact us | Contact us |
* For sample data (only test IoCs) from RST Threat Feed, please refer to the GitHub.
Integration
We provide quick and easy out-of-the-box integration with many SIEM, SOAR, TIP, EDR, XDR, NGFW, and WAF solutions. The knowledge we produce is actionable to the extent that machines can facilitate end-to-end detection, prevention, and response.
Fortigate firewalls can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.
Palo Alto NGFW can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.
RST Thread Feed integrated with IBM Qradar SIEM via RST Downloder agent. This agent automatically downloads all the required data and pushes it to the SIEM via API. There are options to filter indicators through its score and types, malware, tags etc
Palo Alto Cortex XSOAR can directly be integrated with RST Threat Feed via API. It gives an ability to query RST Cloud API directly from any playbook or using the war room commands.
RST Thread Feed integrated with Splunk. The app is published on the official Splunk marketplace and allows to automate downloading and maintenance of the feeds into Splunk.
RST Thread Feed is integrated with Microsoft Sentinel SIEM via a standard STIX/TAXII integration. There are options to filter indicators through its score and types, malware, tags etc
RST Thread Feed is integrated with Elastic SIEM solution via a custom elastic filebeat/agent configuration. There are options to filter indicators through its score and types, malware, tags etc
RST Thread Feed is integrated with MISP via a python script. There are options to filter indicators through its score and types, malware, tags etc
Cisco Firepower can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.
SAF Systems is a versatile platform for collecting and analysing machine data. It works in the fields of information security, IT infrastructure monitoring, and business process analysis. The integration of RST Threat Feed and RST Report Hub within the SAF platform empowers analysts to make informed decisions.
RST Threat Feed Data Structure
RST Threat Feed is available in three different machine-readable formats: CSV, JSON, and STIX 2.1. CSV and JSON are custom formats that offer more detailed information than can be accommodated in STIX 2.1. Integration of the threat intelligence feed is smooth and straightforward regardless of the chosen format. The indicators are provided along with relationships to emerging threats, malware, CVEs, TTPs, and threat actors.
{
"ip": {
"v4": "14.33.133.188", - type | value
"num": "237077948" - value as Integer (comparison can be faster)
},
"fseen": 1569715200, - first seen timestamp
"lseen": 1569801600, - last seen timestamp
"collect": 1571184000, - indicator collection timestamp
"tags": { - tags in order to categorize indicators
"str": [
"shellprobe",
"generic",
"botnet"
],
"codes": [0,11,4] - IDs of the tags
(to be used to minimize memory usage in SIEM)
},
"asn": {
"num": 4766, - An autonomous system number related to the indicator
"firstip": {
"netv4": "14.32.0.0", - The first address in that ASN
"num": "236978176" - The first address as an Integer
},
"lastip": {
"netv4": "14.33.166.39", - The last address in that ASN
"num": "237086247" - The last address as an Integer
},
"cloud": "", - is this ASN related to a well-known cloud provider
"domains": 480010, - a number of domain names registered in that ASN
"org": "Korea Telecom", - organization
"isp": "KIXSASKR" - provider
},
"geo": { - geo data
"city": "Suwon",
"country": "South Korea",
"region": "Gyeonggido"
},
"related": {
"domains": ["8d60f888.ngrok.io"] - any related domains from our threat lists that use that IP
},
"score": { - scoring
"total": 66, - total score (High risk - score 55 or higher)
"src": 81.94, - weight by source:
how important that sources were according to our algorithm
"tags": 0.83, - coefficient of tags:
how important the categories of the indicator (malware or spam, etc)
"frequency": 0.98 - coefficient of frequency:
how often we have seen that indicator before
},
"fp": { - false positive suggestions
"alarm": "false", - is it a false positive alarm: false/true
"descr": "" - if alarm == true, the descr contains description
why it was assumed as FP
},
"threat": {"malware_name1", - contains related threat names
"malware_name2"}
}