10.6. External Enrichment Services

The External enrichment services library item represents resources used to collect additional threat information. These sources provide feeds, which are structured, processed data on IP addresses and domains from which malicious files are distributed along with the corresponding file samples and hashes; lists of phishing websites and the email addresses of phishing message senders; addresses from which networks are scanned for vulnerabilities; IP addresses from which brute force attacks are launched; and malware detection signatures.

To use enrichment services, they need to be enabled. For some of the enrichment services, the user needs to register and provide an access key.

Name

Description

dnsgoogle

A web service by Google that provides public DNS servers.

Detailed information: https://dns.google.

Types of observables: IP.

urlhaus

The abuse.ch project. The aim of this project is collecting, tracking, and exchanging malware URLs.

Detailed information: https://urlhaus.abuse.ch/.

Types of observables: Domain, Hash, Host name, IP, URL.

dshield

A system for correlating firewall logs collaboratively. The system collects firewall logs from volunteers all over the world and uses them to analyze attack trends.

Detailed information: https://www.dshield.org/xml.html.

Types of observables: Domain, FQDN, IP.

cybercrime

The service provides information on threat levels presented by various objects.

Detailed information: http://cybercrime-tracker.net.

Types of observables: Domain, FQDN, IP, URL, Other.

cyberprotect

The service provides information on threat levels presented by various objects.

Detailed information: https://console.threatscore.cyberprotect.cloud/.

Types of observables: Domain, Hash, IP, URL, Useragent.

unshorten

This service allows the target URL of any short URL to be previewed and checked for malicious links. The service does not use the external resource but rather analyzes the response for the requested URL.

Types of observables: URL.

ipwhois

The service provides information on IP addresses.

Detailed information: https://ipwhois.io/.

Types of observables: IP.

ipinfo

A tool for identifying the owner, ISP, and location of a website, domain, or IP address.

Detailed information: https://ipinfo.io/.

Types of observables: IP.

The service requires access credentials to be entered.

hashdd

The service provides a hash database of malicious files and offers various checks to get a thorough understanding of the threat.

Detailed information: https://hashdd.com/.

Types of observables: Hash.

The service requires access credentials to be entered.

urlscan

A service providing information on suspicious, malicious, and phishing URLs.

Detailed information: https://urlscan.io/.

Types of observables: Domain, FQDN, Hash, IP, URL.

The service requires access credentials to be entered.

emailrep

A system collecting data on email addresses, domains, and users.

Detailed information: https://emailrep.io/.

Types of observables: Mail.

The service requires access credentials to be entered.

greynoise

The company focuses on analyzing the Internet's background noise (data packets destined to IP addresses or ports where there is no network device configured to receive them). This kind of filtering helps reduce false triggered events.

Detailed information: https://www.greynoise.io/.

Types of observables: IP.

The service requires access credentials to be entered.

abuseip

A project that fights malicious activity on the Internet.

Detailed information: https://www.abuseipdb.com/.

Types of observables: IP.

The service requires access credentials to be entered.

hybridanalysis

A service for checking files for malicious content.

Detailed information: https://www.hybrid-analysis.com/.

Types of observables: Hash.

The service requires access credentials to be entered.