Threat Feed Announcement

8 June 2015

I've been analyzing honeypot data for awhile now, and with the addition of the honeypots from everyone over at @threat_inc, there was a lot of data to go through.

It seemed like such a waste to just have it sitting on our Splunk server and not doing anyone any good. With that, I decided to make a publicly accessible threat feed for anyone to use. The data is a deduplicated list of indicators from about ~50 honeypots around the globe, producing about 15k unique indicators so far.

I've come up with some great ideas for this, such as adding in the last date seen, priority (some type of scoring methodology based on what type of activity was seen), more types of indicators if possible, etc. I'm also planning on making this feed consumable in other ways, such as CSV, JSON, XML, STIX, TAXII, etc. so everyone can integrate this into their own tools.

One thing to note about this feed is that it hasn't had any review of the data, so there will be some domains or file hashes in there of legitimate websites or files, I'll need to think of a way to whitelist certain stuff.

So, please enjoy the threat feed hosted here and let me know what you think, thanks!