Threat Indicator Database

Use Oracle Cloud Infrastructure Threat Intelligence to search for information about known threat indicators, including suspicious IP addresses, domain names, and other digital fingerprints.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, to allow users in the group SecurityAdmins to search for and view threat indicators in Threat Intelligence:

Allow group SecurityAdmins to read threat-intel-family in tenancy

See Threat Intelligence IAM Policies.

Indicator Types Across Database Graph

The Indicator types across database graph shows the number of threats of each indicator type in the database expressed as an absolute number and a percentage.

Mouse over each section of the graph for information about each specific threat type.

Searching for Threat Indicators

Search the Threat Intelligence database to learn more about specific threat indicators, such as an IP address or domain name. Learn about the indicator's history and its confidence score.

Use Threat Intelligence to facilitate forensic investigation into possible threats. Search results are limited to the most recent 1,000 results for any combination of search parameters.

To learn about the information found in the Threat Intelligence database, see Concepts.

You can search the Threat Intelligence database even if Cloud Guard hasn't detected any threats in your tenancy.

  1. Open the navigation menu and click Identity & Security. Under Threat Intelligence, click Threat Indicator Database.
  2. Choose what value you want to Search for.
    Search forEntity
    IP address Enter the source IP address of the threat indicator.
    URL Enter the source URL of the threat indicator.
    Domain name Enter the source domain name of the threat indicator.
    File name Enter the filename of the malicious program.
    MD5 hash Enter the MD5 hash generated from the request header of the threat indicator.
    SHA1 hash Enter the SHA1 hash generated from the request header of the threat indicator.
    SHA256 hash Enter the SHA256 hash generated from the request header of the threat indicator.
    Threat type Select the type of threat. See Threat Types.
    Threat actor Enter the name of the entity associated with the threat indicator.
    Malware Enter the name of the malware program associated with the threat indicator.
  3. (Optional) Select the Date last reported.

    By default, the results only include threats detected in the last 30 days.

  4. (Optional) Select the minimum Confidence score of the threat indicator for which to search.

    A value 0–100 that represents how confident Threat Intelligence is that the indicator might be associated with malicious activity.

    By default, the results only include threat indicators with a score higher than 50.

  5. Click Search.
  6. To view more details about a threat indicator, click the indicator in the table of search results.
    The Indicator history shows the following items:
    • Dates that this threat indicator was first and last detected.
    • Threat type
    • Associated malware
    • Associated threat actors
    • Who detected the indicator (Oracle or another threat intelligence source)

To reset the search criteria, click Reset.

Because of agreements with our source partners, Threat Intelligence displays a maximum of 1,000 search results. If there are more than 1,000 results, then refine your search criteria.

Reporting a False Positive

If you suspect that a threat indicator is a false positive, create a support request and explain your reasoning.

Threat Intelligence investigates your request. If the findings are conclusive, Threat Intelligence adjusts the confidence level or removes the threat indicator from the result set.

  1. From the Console header, click the Help icon.
  2. Click Create Support Request.

    Include the following information in the request:

    • Tenancy OCID
    • Indicator OCID
    • Brief summary of your data quality concern

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the CLI Command Reference.

Note

All Threat Intelligence resources are scoped to your entire tenancy. Specify the ID of the tenancy (root compartment) for all CLI commands
List all indicators with a specific IP address
oci threat-intelligence indicator-summaries list-indicators --compartment-id <root_compartment_OCID> --type IP_ADDRESS --value <indicator_IP_address>

The supported indicator types are IP_ADDRESS, DOMAIN_NAME, URL, MD5_HASH, SHA1_HASH, SHA256_HASH, and FILE_NAME.

List all indicators with a specific threat type and minimum confidence score
oci threat-intelligence indicator-summaries list-indicators --compartment-id <root_compartment_OCID> --threat-type-name phishing --confidence-above 50

See Threat Types or use the threat-types-collection list-threat-types command.

Using the API

For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.

Use the following operations to search for threat indicators:

  • ListIndicators - Get a list of all indicators that match your search parameters
  • GetIndicator - Get details about a specific indicator
  • ListThreatTypes - Get a list of threat types that you can use as parameters when listing indicators
Note

All Threat Intelligence resources are scoped to your entire tenancy. Specify the ID of the tenancy (root compartment) for all API operations.
List all indicators with a specific IP address
GET /20220901/indicators?compartmentId=<root_compartment_OCID>&indicatorType=IP_ADDRESS&value=<indicator_IP_address>
Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>

Response:

{
   "items": [
      {
        "confidence": 24,
        "id": "<indicator_OCID>",
        "labels": [
          "botnet"
        ],
        "timeCreated": "2021-08-10T11:04:53.680Z",
        "timeLastUpdated": "2021-09-01T13:22:41.000Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      }
   ]
}

The supported indicator types are IP_ADDRESS, DOMAIN_NAME, URL, MD5_HASH, SHA1_HASH, SHA256_HASH, and FILE_NAME.

List all indicators with a specific threat type and minimum confidence score
GET /20220901/indicators?compartmentId=<root_compartment_OCID>&label=bruteforce&confidenceGreaterThanOrEqualTo=50
Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>

Response:

{
   "items": [
      {
        "confidence": 65,
        "id": "<indicator_OCID>",
        "labels": [
          "bruteforce"
        ],
        "timeCreated": "2021-08-10T11:04:53.680Z",
        "timeLastUpdated": "2021-09-01T13:22:41.000Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      },
      {
        "confidence": 85,
        "id": "<indicator_OCID>",
        "labels": [
          "bruteforce"
        ],
        "timeCreated": "2021-08-10T11:04:53.680Z",
        "timeLastUpdated": "2021-09-01T13:22:41.000Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      }
   ]
}

See Threat Types.

List all IP indicators with a specific threat type and minimum confidence score
POST 20220901/indicators/actions/summarize?compartmentId=<root_compartment_OCID>
Host: api-threatintel.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>
{
    "indicatorType": "IP_ADDRESS",
    "confidenceGreaterThanOrEqualTo": 50,
    "threatTypes": ["Criminal"]
}

Response:

{
  "data": {
    "items": [
      {
        "attributes": [
          {
            "name": "MaliciousConfidence",
            "value": "low"
          },
          {
            "name": "CSD",
            "value": "csa-220906"
          },
          {
            "name": "ThreatActor",
            "value": "solarspider"
          },
          {
            "name": "Malware",
            "value": "jsoutprox"
          }
        ],
        "compartmentId": "<indicator_compartment_id>",
        "confidence": 55,
        "geodata": {
          "adminDiv": "on",
          "city": "kennebrook",
          "countryCode": "ca",
          "geoId": "",
          "label": "abchost corp.",
          "latitude": "51.06",
          "longitude": "-114.09",
          "origin": "62563",
          "routedPrefix": ""
        },
        "id": "<indicator_OCID>",
        "lifecycleState": "ACTIVE",
        "threatTypes": [
          "Criminal",
          "RAT"
        ],
        "timeCreated": "2022-08-30T19:15:09.237Z",
        "timeLastSeen": "2022-08-30T19:07:13.000Z",
        "timeUpdated": "2022-09-06T07:11:23.503Z",
        "type": "IP_ADDRESS",
        "value": "<indicator_IP_address>"
      }
    ]
  },
  "headers": {
    "Content-Length": "1091",
    "Content-Type": "application/json",
    "Date": "Fri, 09 Sep 2022 14:46:07 GMT",
    "X-Content-Type-Options": "nosniff",
    "opc-next-page": "MTY2MjA3ODU5NTAwMHx8b2NpZDEudGhyZWF0ZW50aXR5Lm9jMS4uYWFhYWFhYWF1MnFjeDU2bGdxamxscnVxNHdtZG1xdXp0ZmpqeGsyd3V3dmliNWd3cWZtc3V5dHJzYmxh",
    "opc-previous-page": "",
    "opc-request-id": "EFBD59D5E9AC4072A06750EB5AEBEA7A/EAF6F605F3CABF83C6BB7ABD9F3398A4/FD04F21730E00B8074A422238071544B"
  },
  "status": "200 OK"
}

See Threat Types.

Get details about a specific indicator
GET /20220901/indicators/<indicator_OCID>?compartmentId=<root_compartment_OCID>
Host: thi-control-plane-api-threatintelservice.us-ashburn-1.oci.oraclecloud.com
<authorization and other headers>

Response:

{
   "confidence": 80,
   "id": "<indicator_OCID>",
   "labels": [
      {
         "attribution": [
            {
               "score": 80,
               "source": {
                  "name": "Oracle"
               },
               "timeFirstSeen": "2021-07-15T16:56:42.212Z",
               "timeLastSeen": "2021-07-22T11:26:05.000Z"
            }
         ],
         "label": {
            "id": "bruteforce",
            "label": "bruteforce"
         }
      }
   ],
   "malwareFamilies": [],
   "targets": [],
   "threatTypes": [],
   "timeCreated": "2021-04-30T19:56:40.514Z",
   "timeLastUpdated": "2021-07-22T11:49:27.000Z",
   "type": "IP_ADDRESS",
   "value": "<indicator_IP_address>"
}

Threat Types

Threat Intelligence categorizes threats by different characteristics, including the methods used by the threat actor to compromise the target system's security, and the threat's symptoms.

Type Description
Adware Presents unwanted advertisements to users
Anomalous Is associated with unusual activity but might not be a threat
Atm_malware Uses automated teller machine (ATM) terminals to obtain bank card information and credentials
Backdoor Provides access to systems or data without normal authentication or encryption
Banking Targets financial institutions and banks
Botnets Uses a network of compromised, Internet-connected computers
Bruteforce Systematically tries many combinations of usernames and passwords
Clickfraud Simulates a user clicking an advertisement to generate revenue for the ad publisher
Commandcontrol Takes control of a computer that issues commands to other infected computers
Commandinjection Exploits a vulnerable application to run malicious commands on the host operating system
Commodity Uses readily available tools with little or no customization to perform security attacks
Credentialharvesting Identifies valid credentials for a system, often to sell or distribute to other actors
Criminal Uses tools that are typically sold and distributed by criminal organizations
Cryptocurrencytheft Infects blockchain or financial software to perform unauthorized transfers of cryptocurrency
Denialofservice Floods a target computer with requests so that it can't fulfill legitimate requests
DeploymentFramework Uses commercial or open source orchestration tools to deploy malware
Downloader Downloads and runs malware by pretending to be legitimate software
Dropper Installs a malicious program by pretending to be legitimate software
Emailattack Floods a target system with email messages, or sends emails containing malicious links or attachments
Exploit Takes advantage of a known hardware, software, network, or other vulnerability
Extortion Attacks or threatens to attack systems if target does not pay by the deadline
FileInfector Injects malicious code into executable files
Formjacking Uses an existing website to extract and copy data that users submit from an HTML form
Informationstealer Attempts to identify and copy sensitive or private information
Injection Exploits a vulnerable application by embedding malicious commands into request data
Keylogger Secretly monitors keystrokes and reports them back for collection
Loader Overrides the operating system's mechanism for loading and running programs and libraries
Maliciousscript Injects code fragments into a trusted website to compromise its security
Maninthebrowser Modifies a web browser to intercept and manipulate messages between the client and the server, typically to perform online transactions without the user's knowledge
Mineware Steals a system's resources (CPUs) to mine cryptocurrency
Mobilemalware Targets mobile devices, such as phones and tablets
Modular Targets a specific type of attack on a host after gathering system information and identifying vulnerabilities
Opensource Uses open source tools, such as penetration testing tools, to perform security attacks
Pathtraversal Exploits a vulnerable file system to access files and directories stored outside the web root folder
Phishing Sends an email that appears to be from a legitimate source but attempts to trick users into either providing sensitive information or running malicious programs
Pointofsale Uses point of sale (POS) and payment terminals to obtain credit card information and credentials
Proxy Uses an intermediary server between a user and the internet to help obfuscate the origin of requests
Ransomware Holds systems or data for ransom (typically through encryption) until a fee is paid
Rat A remote access trojan (RAT) program enables a remote actor to run commands on a target host by pretending to be legitimate software
Repurposedlegitimatesoftware Uses commercial or open source security tools that are normally used to detect or prevent threats
Rootkit Hides its files or processes from normal methods of monitoring to conceal its presence and activities
Solarwinds Attempts to exploit vulnerabilities in SolarWinds supply chain software
Spambot Sends large numbers of unsolicited emails, often as a vector for other types of attacks
Sqlinjectionattack Gains unauthorized access to a database by inserting malicious commands into legitimate SQL statements
Sshattack Attempts to modify login credentials for secure shell (SSH) access
Suspicious Is associated with unusual activity
Targeted Targets the resources or data of a specific organization or industry
Targetedcrimeware Steals the identities of users in a specific organization or industry to commit crimes like performing unauthorized financial transactions
Tor-exit-relay Uses The Onion Router (TOR) relays to conceal the source's identity
Vulnerabilityattack Exploits a hardware or software weakness to gain unauthorized access
Webattack Attacks web servers and their configurations
Webshell Enables persistent, unauthorized access to files on a web server though a command line interface
Xss Cross-site scripting (XSS) circumvents web server or client security by inserting malicious commands into web pages