Skip to content

Files

Latest commit

 

History

History
 
 

MISP Feed Implementation Status

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

MISP FEEDS

Feed Name Provider Feed Format Sentinel Defender For Endpoint Notes
abuse.ch SSL IPBL abuse.ch csv ✔️ ✔️
blocklist.de/lists/all.txt blocklist.de freetext ✔️ ✔️
blockrules of rules.emergingthreats.net rules.emergingthreats.net csv ✔️ ✔️
ci-badguys.txt cinsscore.com freetext ✔️ ✔️
diamondfox_panels pan-unit42 freetext ✔️ ✔️
DigitalSide Threat-Intel OSINT Feed osint.digitalside.it misp
DNS CH TXT version.bind dataplane.org csv
DNS recursion desired IN ANY dataplane.org csv
DNS recursion desired dataplane.org csv
Feodo IP Blocklist abuse.ch csv ✔️ ✔️
firehol_level1 iplists.firehol.org freetext
IP protocol 41 dataplane.org csv
ipspamlist ipspamlist csv
IPsum (aggregation of all feeds) - level 1 - lot of false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 2 - medium false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 3 - low false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 4 - very low false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 5 - ultra false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 6 - no false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 7 - no false positives IPsum freetext ✔️ ✔️
IPsum (aggregation of all feeds) - level 8 - no false positives IPsum freetext ✔️ ✔️
malshare.com - current all malshare.com freetext
malsilo.domain MalSilo csv
malsilo.ipv4 MalSilo csv
malsilo.url MalSilo csv
Malware Bazaar abuse.ch csv ✔️ ✔️
MalwareBazaar abuse.ch misp
Metasploit exploits with CVE assigned eCrimeLabs csv ✔️ ✔️
PhishScore PhishStats csv
Phishtank online valid phishing Phishtank csv
pop3gropers home.nuug.no csv
sipinvitation dataplane.org csv
sipquery dataplane.org csv
sipregistration dataplane.org csv
SMTP data dataplane.org csv
SMTP greet dataplane.org csv
SSH Bruteforce IPs APNIC Community Honeynet Project csv
Telnet Bruteforce IPs APNIC Community Honeynet Project csv
TELNET login dataplane.org csv
The Botvrij.eu Data Botvrij.eu misp
threatfox indicators of compromise abuse.ch csv
Threatfox abuse.ch misp
Tor ALL nodes TOR Node List from dan.me.uk csv
URL Seen in honeypots APNIC Community Honeynet Project freetext
URLHaus Malware URLs abuse.ch csv
URLhaus abuse.ch misp
VNC RFB dataplane.org csv

Unsupported Feeds:

Some feeds that are mentioned on MISPs Feed page cannot be implemented in KQL, this is due to various reasons mentioned below.

Feed Name Provider Reason
alienvault reputation generic .alienvault.com Externaldata(), does not support this datatype.
All current domains belonging to known malicious DGAs osint.bambenekconsulting.com Commercial licence requried for the feed
blocklist.greensnow.co greensnow.co Externaldata(), does not support this datatype.
cybercrime-tracker.net - all cybercrime-tracker.net Externaldata(), does not support this datatype.
CyberCure - Blocked URL Feed www.cybercure.ai The remote server returned an error: (405) Method Not Allowed.
CyberCure - Hash Feed www.cybercure.ai The remote server returned an error: (405) Method Not Allowed.
CyberCure - IP Feed www.cybercure.ai The remote server returned an error: (405) Method Not Allowed.
CIRCL OSINT Feed CIRCL Results exeed the allowed query limits
Domains from High-Confidence DGA-based C&C Domains Actively Resolving osint.bambenekconsulting.com Commercial licence requried for the feed
http://cybercrime-tracker.net gatelist http://cybercrime-tracker.net Externaldata(), does not support this datatype.
http://cybercrime-tracker.net hashlist http://cybercrime-tracker.net Externaldata(), does not support this datatype.
ip-block-list - snort.org https://snort.org Access to persistent storage path 'https://snort.org/downloads/ip-block-list' was denied
IPs from High-Confidence DGA-Based C&Cs Actively Resolving - requires a valid license osint.bambenekconsulting.com Commercial licence requried for the feed
mirai.security.gives security.gives Externaldata() timeout.
Panels Tracker Benkow.cc Externaldata(), does not support this datatype.
sshpwauth.txt dataplane.org csv
This list contains all browser mining domains - A list to prevent browser mining only ZeroDot1 - CoinBlockerLists Read from IStreamSource failed
This list contains all domains - A list for administrators to prevent mining in networks ZeroDot1 - CoinBlockerLists Read from IStreamSource failed
This list contains all optional domains - An additional list for administrators ZeroDot1 - CoinBlockerLists Read from IStreamSource failed
Tor exit nodes dan.me.uk Data is shared in the ALL Nodes feed, otherwise double data is used
VXvault - URL List VXvault Externaldata(), does not support this datatype.
OpenPhish url list openphish.com Partial query failure: Unable to perform requested operation. (message: 'Error with persistent storage path 'https://openphish.com/feed.txt' (operation 'CreateFileRef').