Release Notes: New Consolidated Intel API Endpoint
New Endpoint: GET /api/v1/intel/<IPv4>
A dedicated API endpoint has been introduced to consolidate IPv4 intelligence data into a single response. This endpoint retrieves comprehensive information for analysis, visualization, and metrics generation without replacing existing APIs.
Endpoint URL: GET /api/v1/intel/<IPv4>
Purpose: Provides aggregated data from IPv4 feeds, geolocation, historical scores, reporting sectors, and threat intelligence observables. Optimized for third-party integrations within the OneFirewall ecosystem.
Response Structure
The API returns a JSON object with the following fields:| Field | Type | Description |
|---|---|---|
type | string | Input type: "ip", "domain", "url", or "sha". Returns undefined on request mismatch. |
request | string | Original IPv4 input provided by the user. |
timestamp | number | Unix timestamp when the data was generated. |
timestamp_readable | string | Human-readable ISO 8601 timestamp (e.g., "2026-02-16T00:32:00Z"). |
request_id | string | Unique identifier for this request. |
body | object | JSON object mirroring data from IPv4 Feeds, including core threat indicators. |
ip_info | object | Geolocation (country, city, lat/lon) and ASN details (owner, network range). |
history | array<object> | Array of historical Crime Score entries, each with timestamp and score value. |
sectors | array<string> | Sectors and industries (e.g., "finance", "healthcare") reporting the IPv4 as malicious. |
countries | array<string> | ISO country codes where OneFirewall Alliance members reported attacks originating from this IPv4. |
reports | array<string> | Reasons for reports (e.g., "phishing", "DDoS", "malware C2"). |
members | array<string> | Subset of OneFirewall Alliance members who publicly reported this IPv4 (anonymized non-public members excluded). |
mitre_id | array<string> | MITRE ATT&CK external IDs associated with observed tactics (e.g., "T1071.001"). |
stix | array<object> | STIX 2.0/2.1 observables and indicators linked to this IPv4 (includes IDs, patterns, created_by_ref). |
intel | array<object> | MITRE ATT&CK intelligence objects cross-referenced with mitre_id (tactics, techniques, descriptions). |
agents | array<object> | All agents belonging to reporting alliance members (includes agent ID, version, last_seen). |
Sample Response
Copy
{
"type": "ip",
"request": "101.36.***.***",
"timestamp": 1771461453,
"timestamp_readable": "2026-02-16T00:37:33.702Z",
"request_id": "kaRQEhJOiusY",
"body": {
"gid": "OFA-RULE-GID-0Rd9qGMjk0lxrwjR",
"ip": "101.36.***.***",
"ts": 1771461076,
"blocked_by": [],
"unblocked_by": [],
"start": 1696884978,
"end": 1696884978,
"entry_ts": 1729044462,
"is_network": false,
"score": 581,
"ttl_by": [],
"info": {
"members": 26,
"events": 61,
"sources": [
"router",
],
"stix_bundles": [],
"attack_infos": [],
"notes": [
"luna3",
]
},
"reports": 2735,
"elk_ts": "2026-02-16T00:31:16.000Z",
"elk_entry_ts": "2024-10-16T02:07:42.000Z",
"delay": 0,
"dec": 8.3e-7
},
"ip_info": {
"as_domain": "ucloud.cn",
"as_name": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"asn": "AS135377",
"continent": "Asia",
"continent_code": "AS",
"country": "Japan",
"country_code": "JP"
},
"history": [
{
"ip": "101.36.***.***",
"members": 19,
"events": 24,
"elk_ts": "2025-11-22T00:17:15.000Z",
"ts": 1763770635,
"elk_entry_ts": "2024-10-16T02:07:42.000Z",
"current_ts": "2025-11-22T00:25:18.000Z",
"score": 415
},
{
"ip": "101.36.***.***",
"members": 19,
"events": 24,
"elk_ts": "2025-11-22T07:22:41.000Z",
"ts": 1763796161,
"elk_entry_ts": "2024-10-16T02:07:42.000Z",
"current_ts": "2025-11-22T08:10:00.000Z",
"score": 412
}
],
"sectors": [
"Cloud Provider IT",
"Threat Intel DE",
"Honeynet GB",
"Automotive NL",
"Cyber Threat Alliance USA",
"Security Provider US",
"Transportation IT",
"Financial Service IT",
"Software House GB",
"Tech Hub IT"
],
"countries": [
"IT",
"DE",
"GB",
"NL",
"US"
],
"reports": [
"Service Brute Force",
"indicator--9db300d4",
"DDOS Source attempts",
"Brute Force",
"Brute Force: Password Guessing",
"Remote Services: SSH",
"Valid Accounts",
"101.36.***.***",
"Scanning for Vulnerable Software",
"indicator--77a74faa",
"indicator--69420ee6",
"reconnaissance",
"initial-access",
"credential-access",
"defense-evasion",
"persistence",
"privilege-escalation",
"discovery"
],
"members": [
"Blocklist.de - fail2ban Reporting Service",
"OneFirewall DeceptionGrid",
"Huijbregts ict & cybersafety",
"Cyber Threat Alliance",
"AquilaX Security",
"TEC4I FVG: Human Technology Hub"
],
"mitre_ids": [
"T1046",
"T1595",
"T1595.002",
"T1110",
"T1566",
"T1078"
],
"stix": [
{
"id": "indicator--1a7c8688-5c0f-491e-948f-bc48ab20e509",
"type": "indicator",
"spec_version": "2.1",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"pattern_type": "stix",
"created": "2025-12-18T23:00:00.000Z",
"modified": "2025-12-18T23:00:00.000Z",
"valid_from": "2025-12-18T23:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"indicator_types": [
"malicious-activity"
],
"confidence": 70,
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"created_by_ref": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"x_cta_received": "2025-12-19T16:10:19.000Z",
"x_cta_submission_id": "e0863061-b29f-40e7-b38a-3ff5e8b7f4e0",
"x_cta_submitted_by": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "72a6ccef68cfdf1dce69277e1b91246891d2d6fb95e46974e009717f2308422f",
"x_cta_hash_context": "1213f2e1fd7d6df4547021b17c3bec91245f2b7050f0faae391c2e1bc249c62a"
},
{
"id": "indicator--b86dbe41-4934-43ae-a830-f98d6ff8bd00",
"type": "indicator",
"spec_version": "2.1",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"pattern_type": "stix",
"modified": "2025-12-20T10:21:54.808Z",
"created": "2025-12-20T10:21:43.860Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"indicator_types": [
"malicious-activity"
],
"confidence": 90,
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
],
"created_by_ref": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"x_cta_received": "2025-12-21T14:52:08.000Z",
"x_cta_submission_id": "475ef319-33bf-436d-9420-e86533ea6199",
"x_cta_submitted_by": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"valid_from": "2025-12-20T10:21:43.860Z",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "72a6ccef68cfdf1dce69277e1b91246891d2d6fb95e46974e009717f2308422f",
"x_cta_hash_context": "2a2372f0a95fea8ad250879a5fdc62a0cb388e35af7c0614c9183569fd789270"
},
{
"name": "Scanning for Vulnerable Software",
"labels": [
"malicious-activity"
],
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"created_by_ref": "identity--4d755f87-141e-4b71-9a1e-8e1ec9bba882",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "exploitation"
}
],
"type": "indicator",
"id": "indicator--31f339e6-5506-488b-a0f1-f0b9a537f98f",
"created": "2025-12-23T08:12:11.416Z",
"modified": "2025-12-23T08:12:11.416Z",
"valid_from": "2025-12-23T08:12:11.416Z",
"x_cta_received": "2025-12-23T08:12:12.000Z",
"x_cta_submission_id": "42f13bf6-9c80-4aee-ae2f-ce16c4d0d6a0",
"x_cta_submitted_by": "identity--4d755f87-141e-4b71-9a1e-8e1ec9bba882",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "9a9f2614b58ee6bcff385f25ef400c0fa3a0e4445a1a9d0353a7a601f90c7355",
"x_cta_hash_context": "9a9f2614b58ee6bcff385f25ef400c0fa3a0e4445a1a9d0353a7a601f90c7355"
},
{
"type": "indicator",
"id": "indicator--cef9bd32-6eed-4eb9-a4b1-a6f9377f985c",
"created_by_ref": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"created": "2025-11-30T18:01:20.650Z",
"modified": "2025-11-30T18:01:20.650Z",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"valid_from": "2025-11-30T18:01:20.650Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "reconnaissance"
}
],
"labels": [
"anomalous-activity"
],
"x_cta_received": "2025-11-30T18:01:24.000Z",
"x_cta_submission_id": "dc6f772a-f406-4869-bdb3-c6abd2ea1292",
"x_cta_submitted_by": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08",
"x_cta_hash_context": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08"
},
{
"type": "indicator",
"id": "indicator--27d6880c-b1b4-49d1-af58-5458a53e4f72",
"created_by_ref": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"created": "2025-11-29T23:01:34.242Z",
"modified": "2025-11-29T23:01:34.242Z",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"valid_from": "2025-11-29T23:01:34.242Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "reconnaissance"
}
],
"labels": [
"anomalous-activity"
],
"x_cta_received": "2025-11-29T23:01:38.000Z",
"x_cta_submission_id": "484cc6b0-f829-40b0-a888-6fa6b28db9c1",
"x_cta_submitted_by": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08",
"x_cta_hash_context": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08"
},
{
"id": "indicator--77a74faa-827f-4dbe-8992-7ea47646d7b5",
"spec_version": "2.1",
"name": "indicator--77a74faa",
"created_by_ref": "identity--d881d918-e772-4246-931d-23a0f1b739bb",
"type": "indicator",
"pattern_type": "stix",
"created": "2025-11-15T07:40:22.000Z",
"modified": "2025-12-01T06:20:05.000Z",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"valid_from": "2025-12-01T06:20:05.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_cta_received": "2025-12-01T11:43:14.000Z",
"x_cta_submission_id": "50c41256-c3aa-4797-9d32-50441d95897b",
"x_cta_submitted_by": "identity--d881d918-e772-4246-931d-23a0f1b739bb",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "c5ccbe410803ed8e967234ca07a121c73d331cd496ec656fc3ffba2e7ae52d28",
"x_cta_hash_context": "c5ccbe410803ed8e967234ca07a121c73d331cd496ec656fc3ffba2e7ae52d28"
},
{
"type": "indicator",
"id": "indicator--84dde0ca-63da-4d3c-8028-750040943631",
"created_by_ref": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"created": "2025-12-14T23:01:19.789Z",
"modified": "2025-12-14T23:01:19.789Z",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"valid_from": "2025-12-14T23:01:19.789Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "reconnaissance"
}
],
"labels": [
"anomalous-activity"
],
"x_cta_received": "2025-12-14T23:01:22.000Z",
"x_cta_submission_id": "671f7f44-c4ea-4169-a145-1f90558fdace",
"x_cta_submitted_by": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08",
"x_cta_hash_context": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08"
},
{
"id": "indicator--ac335e09-eaed-41ed-bab3-9b83984012d4",
"type": "indicator",
"spec_version": "2.1",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"pattern_type": "stix",
"created": "2025-12-12T23:00:00.000Z",
"modified": "2025-12-12T23:00:00.000Z",
"valid_from": "2025-12-12T23:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"indicator_types": [
"malicious-activity"
],
"confidence": 70,
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"created_by_ref": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"x_cta_received": "2025-12-13T16:42:18.000Z",
"x_cta_submission_id": "a08c0945-9f14-4e17-96a4-b531d5c73eae",
"x_cta_submitted_by": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "72a6ccef68cfdf1dce69277e1b91246891d2d6fb95e46974e009717f2308422f",
"x_cta_hash_context": "1213f2e1fd7d6df4547021b17c3bec91245f2b7050f0faae391c2e1bc249c62a"
},
{
"id": "indicator--c67f6839-ec10-4594-af41-39c1d06cef05",
"type": "indicator",
"spec_version": "2.1",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"pattern_type": "stix",
"modified": "2025-12-12T18:54:35.584Z",
"created": "2025-12-12T18:54:18.519Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"indicator_types": [
"malicious-activity"
],
"confidence": 90,
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
],
"created_by_ref": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"x_cta_received": "2025-12-13T16:50:32.000Z",
"x_cta_submission_id": "84fa9794-20d9-44ee-a20e-70a548e9c542",
"x_cta_submitted_by": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"valid_from": "2025-12-12T18:54:18.519Z",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "72a6ccef68cfdf1dce69277e1b91246891d2d6fb95e46974e009717f2308422f",
"x_cta_hash_context": "2a2372f0a95fea8ad250879a5fdc62a0cb388e35af7c0614c9183569fd789270"
},
{
"type": "indicator",
"id": "indicator--148586ef-a02f-4f3f-b639-b907884db7ef",
"created_by_ref": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"created": "2025-12-16T13:01:22.120Z",
"modified": "2025-12-16T13:01:22.120Z",
"pattern": "[ipv4-addr:value = '101.36.***.***']",
"valid_from": "2025-12-16T13:01:22.120Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "reconnaissance"
}
],
"labels": [
"anomalous-activity"
],
"x_cta_received": "2025-12-16T13:01:25.000Z",
"x_cta_submission_id": "3e86d95e-8ec0-4e3e-abff-36bfc3070597",
"x_cta_submitted_by": "identity--269557e7-b2ac-42e5-8059-6e2f66bfe29d",
"x_cta_patn_obs_exprs": [
{
"observation_expression": "[ipv4-addr:value='101.36.***.***']",
"comparison_expressions": [
{
"path": "ipv4-addr:value",
"op": "=",
"value": "101.36.***.***"
}
],
"observation_expression_hash": "b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
}
],
"x_cta_hash_pattern_obs_exprs": [
"b52b88e6353b21d0f6950b2fec3543be714d257af38635a86249ee0762a42ce7"
],
"x_cta_hash_pattern": "e1d4a16b8df1e24c3f6a1474c3d8cd2496f1de8e0e4e637c5365b7e8b41d382e",
"x_cta_hash_identity": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08",
"x_cta_hash_context": "3f55e1b7e5d0f654c661901fdc19e776e2659ebdaae121b0a914050605e96c08"
}
],
"intel": [
{
"type": "course-of-action",
"name": "Brute Force Mitigation",
"description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. \nToo strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\n\nRefer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)\n\nWhere possible, also enable multi factor authentication on external facing services.",
"phases": [],
"external_id": "T1110"
},
{
"type": "course-of-action",
"name": "Network Service Scanning Mitigation",
"description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"phases": [],
"external_id": "T1046"
},
{
"type": "course-of-action",
"name": "Valid Accounts Mitigation",
"description": "Take measures to detect or prevent techniques such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. \n\nFollow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access) \n\nAudit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. \n\nApplications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured. ",
"phases": [],
"external_id": "T1078"
},
{
"type": "attack-pattern",
"name": "Vulnerability Scanning",
"description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
"phases": [
"reconnaissance"
],
"external_id": "T1595.002"
},
{
"type": "attack-pattern",
"name": "Active Scanning",
"description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
"phases": [
"reconnaissance"
],
"external_id": "T1595"
},
{
"type": "attack-pattern",
"name": "Phishing",
"description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., \"thread hijacking\").(Citation: phishing-krebs)\n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)",
"phases": [
"initial-access"
],
"external_id": "T1566"
},
{
"type": "attack-pattern",
"name": "Brute Force",
"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. \n\nIf an adversary guesses the correct password but fails to login to a compromised account due to location-based conditional access policies, they may change their infrastructure until they match the victim’s location and therefore bypass those policies.(Citation: ReliaQuest Health Care Social Engineering Campaign 2024)",
"phases": [
"credential-access"
],
"external_id": "T1110"
},
{
"type": "attack-pattern",
"name": "Valid Accounts",
"description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)",
"phases": [
"defense-evasion",
"persistence",
"privilege-escalation",
"initial-access"
],
"external_id": "T1078"
},
{
"type": "attack-pattern",
"name": "Network Service Discovery",
"description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)",
"phases": [
"discovery"
],
"external_id": "T1046"
}
],
"agents": [
{
"_id": "",
"agid": "OFA-AGENT-ID-********",
"plugin": "CloudArmor",
"active": true,
"hostname": "n/a",
"blacklist": [
],
"blacklist_size": 10082,
"ts": 1771460426,
"mgid": "OFA-GID-******",
"score_threshold": "190",
"code": 0,
"version": 10,
"config": {
"gaid": "OFA-AGENT-ID-*******",
"score_threshold": 150,
"start_from": 0,
"version": "v4.60.4",
"proxy": "CLOUD",
"installation_name": "gcp",
"sync_time": 200,
"maximum_rules": 99999998,
"running": "yes"
}
}
]
}