Guardicore Cyber Threat Intelligence Service

If you would like to use the Guardicore Cyber Threat Intelligence service as a feed, feel free!

Download the data served up in the Guardicore Cyber Threat Intelligence easily and for free!

Download each week’s data by downloading a JSON file here
https://threatintelligence.guardicore.com/downloads/latest.json

In this file, you can find all the data we expose in the dashboard along with additional details.

In addition, you can download data from previous weeks by downloading files with the following date format.

https://threatintelligence.guardicore.com/downloads/LABS_FEED_cti_data_DDMMYYYY.json
To download a specific weeks date, specify the Sunday marking the start of the week.

For example
For the time period between 06/01/2019 and 13/01/2019 the resource link is
https://threatintelligence.guardicore.com/downloads/LABS_FEED_cti_data_06012019.json

We suggest consuming this data by downloading the latest.json once a week on Mondays.

If you have any questions or want access to additional data, please contact us at labs@guardicore.com.

Technical Format

What follows is the format for the JSON files, what they contain and how to parse their data.

Attackers

Key name top_attackers.

This field contains the top attacking IP addresses observed by Guardicore sensors around the world in a specific time period.

Field name Description
ip The IP address of the attacker
amount Number of times we’ve seen this attacker in our sensors over the last time period
service A list of protocols we’ve seen this attacker communicate with
country Source country of the IP

Malicious Domains

Key name malicious_domains.

This field contains the top malicious domains we’ve seen attackers use in this time period. Attackers use domains rather than hard coded IP addresses to allow them to constantly shift infrastructure. These domains usually serve as file servers to download post-breach tools, C&C servers to control the different attack tools, and logging servers to send data from the victim machines.

Field name Description
domain The domain name we’ve seen attackers communicate with
amount Number of times we’ve seen this domain in our sensors over the last time period

C2 Servers

Key name connect_back_ips.

This field contains the top IP addresses attackers connect to after breaching a server. These machines usually serve as file servers to download post-breach tools e.g. Remote Administration Tools (RAT), network and vulnerability scanners, exploit and cryptocurrency tools , C&C servers to control the different attack tools, and logging servers to send data from the victim machines.

Field name Description
ip The IP address of the server
amount Number of times we’ve seen this server in our sensors over the last time period
isp ISP hosting this IP
country Source country of the IP

Scanning Servers

Key name scanners.

This field contains the most active scanners in this time period. Scanners are machines that access one or more services across one or more subnets monitored by Guardicore sensors without performing attacks. The attackers run scanners to locate vulnerable services that can fit their exploitation methods (e.g. bad configuration, out-of-date software).

Field name Description
ip The IP address of the server
amount Number of times we’ve seen this server in our sensors over the last time period
ports A list of ports scanned by this IP

Scanned Ports

Key name ports.

This field presents the services that are most often attacked over the internet.

Field name Description
amount The number of connection attempts to this port over the time period
ports The port scanned

Interested in accessing our full database? Have questions? Please email us to labs@guardicore.com.