Searching for Threat Indicators
Search the Threat Intelligence database to learn more about specific threat indicators, such as an IP address or domain name. Learn about the indicator's history and its confidence score.
Search results are limited to the most recent 1,000 results for any combination of search parameters. Refine the search criteria if the search returns more than 1,000 results.
To learn about the information found in the Threat Intelligence database, see Concepts.
You can search the Threat Intelligence database even if Cloud Guard hasn't detected any threats in the tenancy.
- Tip
To reset the search criteria, click Reset. Use the following commands to search for threat indicators:
- oci threat-intelligence indicator-summaries list-indicators - Get a list of threat indicator summaries that matches the search parameters
- oci threat-intelligence indicator get - Get details about a specific indicator
- oci threat-intelligence threat-types-collection list-threat-types - Get a list of threat types that you can use as parameters when listing indicators
Note
All Threat Intelligence resources are scoped to the entire tenancy. Specify the ID of the tenancy (root compartment) for all CLI commands.For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.
List all indicators with a specific IP addressoci threat-intelligence indicator-summaries list-indicators --compartment-id <root_compartment_OCID> --type IP_ADDRESS --value <indicator_IP_address>
The supported indicator types are
IP_ADDRESS
,URL
,DOMAIN_NAME
,FILE_NAME
,MD5_HASH
,SHA1_HASH
,SHA256_HASH
,THREAT_ACTOR
, andMALWARE
.List all indicators with a specific threat type and minimum confidence scoreoci threat-intelligence indicator-summaries list-indicators --compartment-id <root_compartment_OCID> --threat-type-name phishing --confidence-above 50
See Threat Indicator Database Threat Types or use the
threat-types-collection list-threat-types
command.Use the following operations to search for threat indicators:
- ListIndicators - Get a list of all indicators that match the search parameters
- GetIndicator - Get details about a specific indicator
- ListThreatTypes - Get a list of threat types that you can use as parameters when listing indicators
Note
All Threat Intelligence resources are scoped to the entire tenancy. Specify the ID of the tenancy (root compartment) for all API operations.List all indicators with a specific IP addressGET /20220901/indicators?compartmentId=<root_compartment_OCID>&indicatorType=IP_ADDRESS&value=<indicator_IP_address> Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com <authorization and other headers>
Response:
{ "items": [ { "confidence": 24, "id": "<indicator_OCID>", "labels": [ "botnet" ], "timeCreated": "2021-08-10T11:04:53.680Z", "timeLastUpdated": "2021-09-01T13:22:41.000Z", "type": "IP_ADDRESS", "value": "<indicator_IP_address>" } ] }
The supported indicator types are
IP_ADDRESS
,URL
,DOMAIN_NAME
,FILE_NAME
,MD5_HASH
,SHA1_HASH
,SHA256_HASH
,THREAT_ACTOR
, andMALWARE
.List all indicators with a specific threat type and minimum confidence scoreGET /20220901/indicators?compartmentId=<root_compartment_OCID>&label=bruteforce&confidenceGreaterThanOrEqualTo=50 Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com <authorization and other headers>
Response:
{ "items": [ { "confidence": 65, "id": "<indicator_OCID>", "labels": [ "bruteforce" ], "timeCreated": "2021-08-10T11:04:53.680Z", "timeLastUpdated": "2021-09-01T13:22:41.000Z", "type": "IP_ADDRESS", "value": "<indicator_IP_address>" }, { "confidence": 85, "id": "<indicator_OCID>", "labels": [ "bruteforce" ], "timeCreated": "2021-08-10T11:04:53.680Z", "timeLastUpdated": "2021-09-01T13:22:41.000Z", "type": "IP_ADDRESS", "value": "<indicator_IP_address>" } ] }
List all IP indicators with a specific threat type and minimum confidence scorePOST 20220901/indicators/actions/summarize?compartmentId=<root_compartment_OCID> Host: api-threatintel.us-ashburn-1.oci.oraclecloud.com <authorization and other headers> { "indicatorType": "IP_ADDRESS", "confidenceGreaterThanOrEqualTo": 50, "threatTypes": ["Criminal"] }
Response:
{ "data": { "items": [ { "attributes": [ { "name": "MaliciousConfidence", "value": "low" }, { "name": "CSD", "value": "csa-220906" }, { "name": "ThreatActor", "value": "solarspider" }, { "name": "Malware", "value": "jsoutprox" } ], "compartmentId": "<indicator_compartment_id>", "confidence": 55, "geodata": { "adminDiv": "on", "city": "kennebrook", "countryCode": "ca", "geoId": "", "label": "abchost corp.", "latitude": "51.06", "longitude": "-114.09", "origin": "62563", "routedPrefix": "" }, "id": "<indicator_OCID>", "lifecycleState": "ACTIVE", "threatTypes": [ "Criminal", "RAT" ], "timeCreated": "2022-08-30T19:15:09.237Z", "timeLastSeen": "2022-08-30T19:07:13.000Z", "timeUpdated": "2022-09-06T07:11:23.503Z", "type": "IP_ADDRESS", "value": "<indicator_IP_address>" } ] }, "headers": { "Content-Length": "1091", "Content-Type": "application/json", "Date": "Fri, 09 Sep 2022 14:46:07 GMT", "X-Content-Type-Options": "nosniff", "opc-next-page": "MTY2MjA3ODU5NTAwMHx8b2NpZDEudGhyZWF0ZW50aXR5Lm9jMS4uYWFhYWFhYWF1MnFjeDU2bGdxamxscnVxNHdtZG1xdXp0ZmpqeGsyd3V3dmliNWd3cWZtc3V5dHJzYmxh", "opc-previous-page": "", "opc-request-id": "EFBD59D5E9AC4072A06750EB5AEBEA7A/EAF6F605F3CABF83C6BB7ABD9F3398A4/FD04F21730E00B8074A422238071544B" }, "status": "200 OK" }
Get details about a specific indicatorGET /20220901/indicators/<indicator_OCID>?compartmentId=<root_compartment_OCID> Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com <authorization and other headers>
Response:
{ "confidence": 80, "id": "<indicator_OCID>", "labels": [ { "attribution": [ { "score": 80, "source": { "name": "Oracle" }, "timeFirstSeen": "2021-07-15T16:56:42.212Z", "timeLastSeen": "2021-07-22T11:26:05.000Z" } ], "label": { "id": "bruteforce", "label": "bruteforce" } } ], "malwareFamilies": [], "targets": [], "threatTypes": [], "timeCreated": "2021-04-30T19:56:40.514Z", "timeLastUpdated": "2021-07-22T11:49:27.000Z", "type": "IP_ADDRESS", "value": "<indicator_IP_address>" }