Intro

The core value of OneFirewall Alliance lies in its capacity to extract IoC (Indicators of Compromise) information from alliance members. This involves anonymizing, weighting, and ultimately aggregating the IoCs into a common object shared among alliance members for actionable prevention. As a token of appreciation, OneFirewall rewards active alliance members who contribute by providing information about new IoCs (such as IPv4, Domains, Files, and URLs) or reinforcing the assertion that existing IoCs are indeed malicious. This reciprocal exchange reinforces the collaborative strength of the alliance in enhancing proactive threat prevention. As of this document, OneFirewall gathers data not only from its alliance but also from various security partners, open-source repositories, internal security teams, and more. The breakdown of this data is outlined below.

Threat Intel Source Contribution

SourceContributionNotes
Security Partners∼27%Security Partners specialized in cyber-attack hunting
Alliance Members∼43%Customers of OneFirewall contributing to the Threat Intel data lake
Open-Source Data∼21%Crafted and collected by the Security Engineering team of OneFirewall
Internal Security Research∼6%OneFirewall’s research team, monitoring and reporting
Machine Learning∼0.1%Pattern extraction for forecasting threat actors
OneFirewall Honey-net∼2%Honeypot network collecting attack threat intel

Member Participation

An alliance member of OneFirewall can choose between two modes:
  • Consumer-only
    Regardless of on-prem or cloud installation, the member only consumes (reads) the latest threat intelligence.
  • Consumer-and-contributor
    The member can also report threat intelligence information back to the alliance, enhancing other members’ awareness of the latest threats.

Contributor

Active contribution within the alliance, termed as “Contributor”, is characterized by members communicating IoCs such as IPv4 addresses, domains, URLs, or file digests back to the OneFirewall SaaS service. This sharing is based on the organization’s internal intelligence, derived from events indicative of malicious intent recorded and identified through automated or manual processes.

Outbound Data Sharing

Outbound data sharing refers to the information that an organization communicates back to the OneFirewall SaaS Cloud service in Contributor mode. Contributing members share at least the following information (in JSON format):
  • Actor: IPv4, URL, FileDigest, or domain name
  • Timestamp: Date and time of the report
  • Confidence: A numeric value (0.0 to 1.0) representing confidence in the actor’s maliciousness
  • Source (Optional): Appliance/Process used (e.g., manual, Appliance-X)
  • Event ID (Optional): Internal unique event ID
  • STIX (Optional): STIX v2.0 format bundle of the cyber attack
  • tags (Optional): Tags separated by ”,” example report-00000
In addition, contributors must authenticate against OneFirewall SaaS, which identifies the Member Organization (via random ID). This ID is used for subsequent calculations to either add a new feed or update an existing feed with enhanced confidence. The information is submitted via the OneFirewall public HTTPS/API endpoint, which updates the Cyber Crime Score based on combined intelligence from other sources.

Example of Data

[
  {
    "ip": "8.8.8.8",
    "timestamp": 1759158848,
    "confidence": 0.5,
    "tags": "report_00000"
  }
]

Current Data Collection Plugins

  1. Manual replication of submitted events (UI on-prem instance)
  2. SIEM connector with ELK (Logstash config, case by case)
  3. Apache and NGINX ModSecurity
  4. SSH Logs
Being a contributing member implies OneFirewall can acknowledge the customer as an active contributor. No other information is shared or disclosed without explicit reference to this status.

FAQs

Q: How is this information stored in the OneFirewall Data Lake?
A: The JSON information is stored with a randomly generated ID linked to the member, used only to generate anonymous data for updating the Cyber Crime Score. Q: Do other OneFirewall members have access to what I submitted?
A: No. Other members only see the updated Crime Score. Q: If I share information, can I later delete it?
A: Yes. At any point, a member can permanently delete (hard delete) their contributions. Q: Is the handling of this information GDPR compliant?
A: Yes. The shared information contains no PII. Q: Can I stop or pause my contributions?
A: Yes. Data collection/sharing is managed entirely on-premises, so you can pause or stop anytime. Q: Can I choose which cyber events to contribute?
A: Currently, event-level selection is not supported, but a custom pattern can be applied upon request. Q: How often is information contributed to the community?
A: Every 60 seconds (configurable).