RST Threat Feed

All knowledge about actual threats in one place

The RST Threat Feed service collects actual knowledge about threats from all the available open TI sources. Normalise, filter, enrich and score it and gives to your security team or security solutions in ready-to-use format.

Key Benefits

activity 1

Collects IoCs through lots of available TI resources, social networks, dozens of TI reports

Dimond_alt_duotone

Rich contextual information for every IoC

Chield_check_duotone_line

Improve you TP/FP rate and allow real-time detection and prevention at scale

230+

TI Sources

250k/day

unique indicators

30k+

threat database

20+

malware categories

0-100

scoring model

7-8 mln

unique IoCs each year

RST Threat Feed provides main IoCs types which help you detect and prevent numerous cyber attacks

Data Description Threat Prevention Value
List of IP Address that are known to be used by cyber criminals (for example, C2 servers) Prevents participation in botnets for your network assets, prevents users from spam, fingerprinting, probing etc
A reputation list of malicious Domains Prevents phishing, data leakage, ransomware download
A reputaition list of URLs used by cyber criminals Prevents users from download malicios content and visiting phishing resources
List of malware files hashes (MD5, SHA1, SHA256) Prevents from Ransomware, Malware, Spyware, Keyloggers, RAT etc

What makes us different

malware
IoC normalisation, filtering and uniformity when collecting indicator
  • all malware names is brought to uniformity
  • Filtering of noise data (MS Updates, CDPs, Well-known IPs, etc.)
Content enrichment
  • All context data is parsed
  • Lots of additional enrichment mechanisms
  • Dedicated whois API for domain data
Content and categorisation
  • more than 20 malware categories
  • dedicated Industry Tag
  • 250k+ unique indictors per day
  • Related indicators and CVEs field
  • ASN (Org, Number of domains registered) and URL verification
  • Reference field
Easy to apply
  • Different usage options: Full feed download, API access, dedicated WHOIS API, dedicated NGFW API
  • Ready-to-use integration with popular SIEM/TIP/SOAR solutions
  • dedicated download agent for feed utilization
  • Ready-to-use API for popular NGFW solutions
Free Feed Free Trial Lookup API RST NGFW RST Threat Feed
Get Feed Get Trial Pricing Contact us Contact us

Integrations

RST Threat Feed has out-of-the-box integration with many SIEM and TIP solutions. Additionally, you can immediately integrate RST Threat Feed with NGFW solutions to provide your network perimeter with accurate information on current cyberthreats.

FortiGate

Fortigate firewalls can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

Palo Alto NGFW

Palo Alto NGFW can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

IBM Qradar SIEM solution

RST Thread Feed integrated with IBM Qradar SIEM via RST Downloder agent. This agent automatically downloads all the required data and pushes it to the SIEM via API. There are options to filter indicators through its score and types, malware, tags etc

Palo Alto Cortex XSOAR

Palo Alto Cortex XSOAR can directly be integrated with RST Threat Feed via API. It gives an ability to query RST Cloud API directly from any playbook or using the war room commands.

Cisco Firepower

Cisco Firepower can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

Splunk Enterprise

RST Thread Feed integrated with Splunk. The app is published on the official Splunk marketplace and allows to automate downloading and maintenance of the feeds into Splunk.

Elastic SIEM

RST Thread Feed is integrated with Elastic SIEM solution via a custom elastic filebeat/agent configuration. There are options to filter indicators through its score and types, malware, tags etc

MISP

RST Thread Feed is integrated with MISP via a python script. There are options to filter indicators through its score and types, malware, tags etc

ArcSight ESM/Logger SIEM solution

RST Thread Feed is integrated with Arcsight ESM/Logger solutions via RST Downloder agent. There are options to filter indicators through its score and types, malware, tags etc

R-Vision TIP

RST Thread Feed is natively integrated with R-Vision TIP via API.

Need more details?

Download the datasheet or follow the link below.

RST Threat Feed Data Structure

IP Addresses

  {
  {
  "ip": {
    "v4": "14.33.133.188",  - type | value
    "num": "237077948"      - value as Integer (comparison can be faster)
  },
  "fseen": 1569715200,      - first seen timestamp
  "lseen": 1569801600,      - last seen timestamp
  "collect": 1571184000,    - indicator collection timestamp
  "tags": {                 - tags in order to categorize indicators
    "str": [
      "shellprobe",
      "generic",
      "botnet"
    ],
    "codes": [0,11,4]       - IDs of the tags
                              (to be used to minimize memory usage in SIEM)
  },
  "asn": {
    "num": 4766,            - An autonomous system number related to the indicator
    "firstip": {
      "netv4": "14.32.0.0", - The first address in that ASN
      "num": "236978176"    - The first address as an Integer
    },
    "lastip": {
      "netv4": "14.33.166.39", - The last address in that ASN
      "num": "237086247"       - The last address as an Integer
    },
    "cloud": "",               - is this ASN related to a well-known cloud provider
    "domains": 480010,         - a number of domain names registered in that ASN
    "org": "Korea Telecom",    - organization
    "isp": "KIXSASKR"          - provider
  },
  "geo": {                     - geo data
    "city": "Suwon",
    "country": "South Korea",
    "region": "Gyeonggido"
  },
  "related": {
    "domains": ["8d60f888.ngrok.io"]  - any related domains from our threat lists that use that IP
  },
  "score": {                   - scoring
    "total": 66,               - total score (High risk - score 55 or higher)
                                 
    "src": 81.94,              - weight by source:
                                 how important that sources were according to our algorithm
                                 
    "tags": 0.83,              - coefficient of tags:
                                 how important the categories of the indicator (malware or spam, etc)
                                 
    "frequency": 0.98          - coefficient of frequency:
                                 how often we have seen that indicator before
  },
  "fp": {                      - false positive suggestions
    "alarm": "false",          - is it a false positive alarm: false/true
    "descr": ""                - if alarm == true, the descr contains description
                                 why it was assumed as FP
  },
  "threat": {"malware_name1",  - contains related threat names
            "malware_name2"}
}
Domains
URLs
Hashes