Searching for Threat Indicators

Search the Threat Intelligence database to learn more about specific threat indicators, such as an IP address or domain name. Learn about the indicator's history and its confidence score.

Search results are limited to the most recent 1,000 results for any combination of search parameters. Refine the search criteria if the search returns more than 1,000 results.

To learn about the information found in the Threat Intelligence database, see Concepts.

You can search the Threat Intelligence database even if Cloud Guard hasn't detected any threats in the tenancy.

1. Open the navigation menu and click Identity & Security. Under Threat Intelligence, click Threat Indicator Database.
2. From the Search for list, select the type of threat indicator that you want to search for, and then enter the specific value.
  
  Domain name: Enter the source domain name of the threat indicator.
  
  File name: Enter the file name of the malicious program.
  
  IP address: Enter the source IP address of the threat indicator.
  
  Malware: Enter the name of the malware program associated with the threat indicator.
  
  MD5 hash: Enter the MD5 hash generated from the request header of the threat indicator.
  
  SHA1 hash: Enter the SHA1 hash generated from the request header of the threat indicator.
  
  SHA256 hash: Enter the SHA256 hash generated from the request header of the threat indicator.
  
  Threat actor: Enter the name of the entity associated with the threat indicator.
  
  Threat type: Select the type of threat. See Threat Indicator Database Threat Types.
  
  URL: Enter the source URL of the threat indicator.
3. (Optional) Select a value for Date last reported.
  
  By default, the results include threats detected only in the last 30 days.
4. (Optional) For Confidence score, select the minimum score of the threat indicator to search for.
  
  The confidence score is a value from 0 to 100 that represents how confident Threat Intelligence is that the indicator might be associated with malicious activity.
  
  By default, the results include only threat indicators with a score greater than 50.
5. Click Search.
6. (Optional) To limit the results to a specific indicator type, select a value in Type.
7. To view more details about a threat indicator, click the indicator in the table of search results.
  
  The Indicator history area of the indicator details page shows the dates that this threat indicator was detected and who detected it (Oracle or another threat intelligence source).
Tip

To reset the search criteria, click Reset.
Use the following commands to search for threat indicators:
- oci threat-intelligence indicator-summaries list-indicators - Get a list of threat indicator summaries that matches the search parameters
- oci threat-intelligence indicator get - Get details about a specific indicator
- oci threat-intelligence threat-types-collection list-threat-types - Get a list of threat types that you can use as parameters when listing indicators
Note

All Threat Intelligence resources are scoped to the entire tenancy. Specify the ID of the tenancy (root compartment) for all CLI commands.

For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.
List all indicators with a specific IP address

oci threat-intelligence indicator-summaries list-indicators --compartment-id <root_compartment_OCID> --type IP_ADDRESS --value <indicator_IP_address>

The supported indicator types are IP_ADDRESS, URL, DOMAIN_NAME, FILE_NAME, MD5_HASH, SHA1_HASH, SHA256_HASH, THREAT_ACTOR, and MALWARE.
List all indicators with a specific threat type and minimum confidence score

oci threat-intelligence indicator-summaries list-indicators --compartment-id <root_compartment_OCID> --threat-type-name phishing --confidence-above 50

See Threat Indicator Database Threat Types or use the threat-types-collection list-threat-types command.

Use the following operations to search for threat indicators:

ListIndicators - Get a list of all indicators that match the search parameters
GetIndicator - Get details about a specific indicator
ListThreatTypes - Get a list of threat types that you can use as parameters when listing indicators

Note

All Threat Intelligence resources are scoped to the entire tenancy. Specify the ID of the tenancy (root compartment) for all API operations.

List all indicators with a specific IP address

GET /20220901/indicators?compartmentId=<root_compartment_OCID>&indicatorType=IP_ADDRESS&value=<indicator_IP_address>
Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>

Response:

{
   "items": [
      {
        "confidence": 24,
        "id": "<indicator_OCID>",
        "labels": [
          "botnet"
        ],
        "timeCreated": "2021-08-10T11:04:53.680Z",
        "timeLastUpdated": "2021-09-01T13:22:41.000Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      }
   ]
}

The supported indicator types are IP_ADDRESS, URL, DOMAIN_NAME, FILE_NAME, MD5_HASH, SHA1_HASH, SHA256_HASH, THREAT_ACTOR, and MALWARE.

List all indicators with a specific threat type and minimum confidence score

GET /20220901/indicators?compartmentId=<root_compartment_OCID>&label=bruteforce&confidenceGreaterThanOrEqualTo=50
Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>

Response:

{
   "items": [
      {
        "confidence": 65,
        "id": "<indicator_OCID>",
        "labels": [
          "bruteforce"
        ],
        "timeCreated": "2021-08-10T11:04:53.680Z",
        "timeLastUpdated": "2021-09-01T13:22:41.000Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      },
      {
        "confidence": 85,
        "id": "<indicator_OCID>",
        "labels": [
          "bruteforce"
        ],
        "timeCreated": "2021-08-10T11:04:53.680Z",
        "timeLastUpdated": "2021-09-01T13:22:41.000Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      }
   ]
}

See Threat Indicator Database Threat Types.

List all IP indicators with a specific threat type and minimum confidence score

POST 20220901/indicators/actions/summarize?compartmentId=<root_compartment_OCID>
Host: api-threatintel.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>
{
    "indicatorType": "IP_ADDRESS",
    "confidenceGreaterThanOrEqualTo": 50,
    "threatTypes": ["Criminal"]
}

Response:

{
  "data": {
    "items": [
      {
        "attributes": [
          {
            "name": "MaliciousConfidence",
            "value": "low"
          },
          {
            "name": "CSD",
            "value": "csa-220906"
          },
          {
            "name": "ThreatActor",
            "value": "solarspider"
          },
          {
            "name": "Malware",
            "value": "jsoutprox"
          }
        ],
        "compartmentId": "<indicator_compartment_id>",
        "confidence": 55,
        "geodata": {
          "adminDiv": "on",
          "city": "kennebrook",
          "countryCode": "ca",
          "geoId": "",
          "label": "abchost corp.",
          "latitude": "51.06",
          "longitude": "-114.09",
          "origin": "62563",
          "routedPrefix": ""
        },
        "id": "<indicator_OCID>",
        "lifecycleState": "ACTIVE",
        "threatTypes": [
          "Criminal",
          "RAT"
        ],
        "timeCreated": "2022-08-30T19:15:09.237Z",
        "timeLastSeen": "2022-08-30T19:07:13.000Z",
        "timeUpdated": "2022-09-06T07:11:23.503Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      }
    ]
  },
  "headers": {
    "Content-Length": "1091",
    "Content-Type": "application/json",
    "Date": "Fri, 09 Sep 2022 14:46:07 GMT",
    "X-Content-Type-Options": "nosniff",
    "opc-next-page": "MTY2MjA3ODU5NTAwMHx8b2NpZDEudGhyZWF0ZW50aXR5Lm9jMS4uYWFhYWFhYWF1MnFjeDU2bGdxamxscnVxNHdtZG1xdXp0ZmpqeGsyd3V3dmliNWd3cWZtc3V5dHJzYmxh",
    "opc-previous-page": "",
    "opc-request-id": "EFBD59D5E9AC4072A06750EB5AEBEA7A/EAF6F605F3CABF83C6BB7ABD9F3398A4/FD04F21730E00B8074A422238071544B"
  },
  "status": "200 OK"
}

See Threat Indicator Database Threat Types.

Get details about a specific indicator

GET /20220901/indicators/<indicator_OCID>?compartmentId=<root_compartment_OCID>
Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>

Response:

{
   "confidence": 80,
   "id": "<indicator_OCID>",
   "labels": [
      {
         "attribution": [
            {
               "score": 80,
               "source": {
                  "name": "Oracle"
               },
               "timeFirstSeen": "2021-07-15T16:56:42.212Z",
               "timeLastSeen": "2021-07-22T11:26:05.000Z"
            }
         ],
         "label": {
            "id": "bruteforce",
            "label": "bruteforce"
         }
      }
   ],
   "malwareFamilies": [],
   "targets": [],
   "threatTypes": [],
   "timeCreated": "2021-04-30T19:56:40.514Z",
   "timeLastUpdated": "2021-07-22T11:49:27.000Z",
   "type": "IP_ADDRESS",
   "value": "<indicator_IP_address>"
}

Oracle Cloud Infrastructure Documentation

Searching for Threat Indicators