ThreatSTOP tracks Indicators Of Compromises (IOCs) and groups them as objects we named targets. Targets contain:
- DNS domains
- DNS server names and IP addresses
- IP addresses or IP subnets
Targets are the atomic building block for Policies.
The API service allows the retrieval of the list of targets and attributes for each target. This is a read-only service.
- Name : a handle name - up to 8 characters
- Short Description : Purpose of the target (summary)
- Description : Long description
- Content type (is_ip, is_domain): Target contains either IP/subnets, or domains and DNS server identifiers respectively. Targets contain only one of the two.
- Severity score: Danger level of the IOCs contains in this target, on a scale of 0 (no danger) to 5 (Very high)
- Confidence level: our confidence that the IOC is currently associated with the threat identified by the target, on a scale of 1 (low confidence) to 5 (very high confidence).
- Risk level : the likelyhood that traffic from/to the IP addresses in the target (or resolving the domains/IPs) is malicious. For example: a connection to a CDN that is currently hosting malware has a low risk of being caused by an HTTP request tied to the malware download.
- Type: the type of Threat identified by the target
- Traffic Type: the type of network traffic associated with the IOCs (inbound vs outbound, or traffic associated with specific devices such as VOIP or Point of sale devices)
- Industry: identify industries specifically targetted by the IOCs
While most targets identified threats, some targets can be also used for explicit whitelisting, i.e. adding firewall rules or DNS filtering rules that will allow traffic from the IP/domains in the targets, regardless of them being present in targets. For example, this can be used to whitelist cloud providers such as Amazon AWS or Microsoft Azure.
The list of targets that differs from account to account, for example based on device types and targets acquired via ThreatSTOP’s marketplace.
The available flag indicates whether the target can be added or not to a policy on the account that the API key belongs to.
Target bundles are groups of targets. They allow quicker configuration of policies by adding all targets that match a set of filters. For example, a bundle can group all targets that track botnets regardless of the specific botnet type or instance, or all targets of a given severity and confidence level.
Bundles also provide the convienence of tracking changes made by ThreatSTOP to the list of targets and their configuration. For example, if a new Botnet is added, a policy that contains the Botnet bundle will reflect the change automatically.
The bundle service returns the definition of the bundle (a list of filter criteria that match target attributes), along with bundle properties such as name, handle, description, and optionally, the current list of targets contained in the bundle(s).