Document toolboxDocument toolbox

Viewing Active Threat Feeds and Threat Insight

Owned by Gary Leicht
Last updated: Sept 06, 2024
10 min read

BloxOne Threat Defense provides predefined threat intelligence feeds based on your subscription. The Infoblox Threat Defense Business On-Premises and Infoblox Threat Defense Business Cloud subscriptions offer a few more feeds than the Infoblox Threat Defense Essentials subscription. The Infoblox Threat Defense Advanced subscription offers a few more feeds than the Infoblox Threat Defense Business On-Premises and Infoblox Threat Defense Business Cloud subscriptions.

To view threat feeds and Threat Insight information associated with a security policy, see Viewing Feeds and Threat Insight Associated with a Security Policy.

For information on what feeds are included with each licensing and subscription level, see Licensing and Subscriptions.

For information on RPZ feeds, and what RPZ feeds are included based on subscription level, see RPZ Feeds

Note

Reporting Incorrect Data: To report incorrect data, submit the Dossier Threat Research Feedback from. For information, see Dossier Threat Research Feedback.

Supported Threat Intelligence Feeds

The following is a list of all supported threat intelligence feeds and their descriptions. The Threat Feeds page displays only the supported feeds that your subscription offers.

AntiMalware
Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

AntiMalware IP (AntiMalware_IP)
Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Base
Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes.

Infoblox Cloud Hits
Infoblox Cloud Hits is a custom RPZ feed which contains blocked or redirected domains by Infoblox's threat intelligence feeds in the cloud.

Bogon
Bogons are commonly found as the source addresses of DDoS attacks. “Bogon” is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called “bogon space”. Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration.

Cryptocurrency
The use and mining of cryptocurrency is not inherently benign or malicious, or used exclusively by threat actors or general users. However, over the last several years, it has been increasingly used for illegal and/or fraudulent activities such as human trafficking, black market sales/purchases, and ransomware payments, and others. Cryptocurrency mining can impair system performance and risk end users and businesses to information theft, hijacking, and a plethora of other malware. This feed features threats that allow malicious actors to perform illegal and/or fraudulent activities, coinhives that allows site owners to embed cryptocurrency mining software into their webpages as a replacement to normal advertising, Cryptojacking that allows site owners to mine for cryptocurrency without the owner’s consent, and cryptocurrency mining pools working together to mine cryptocurrency. This feed features indicators of activity which may indicate malicious or unauthorized use of resources including: coinhive which can be embedded into a site owner’s web pages to lie cryptocurrency with the visitor’s permission as an alternative to web banner advertising; cryptojacking where malicious actors use in-browser mining without the victim’s consent; and cryptocurrency mining pools working together to mine cryptocurrency.

Custom
A custom threat feed. This a user-defined threat feed. 

DHS AIS Domains (DHS_AIS_Domain)
Suspicious/malicious as destinations: The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security's effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. Hostname Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.

DHS AIS IPs (DHS_AIS_IP)
Suspicious/malicious as destinations: The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security's effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. Hostname Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.

DOH Public Hostnames (Public_DOH) 
The Public DOH feed provides a list of known public DNS services that tunnel their traffic over HTTP. This may be from a browser (such as Mozilla Firefox), a piece of malware, or a user attempting to bypass your organization's DNS policies. This feed contains “canary” domains. It is very important that when you protect your network on the DNS level that you block communications to any 3rd party DNS server your applications or devices may use. We recommend all organizations enable this blocking rule.

DOH Public IPs (Public_DOH_IP)
The Public DOH IP feed provides a list of known public DNS services that tunnel their traffic over HTTP. This may be from a browser (such as Mozilla Firefox), a piece of malware, or a user attempting to bypass your organization's DNS policies. This feed contains “canary” addresses. We recommend all organizations enable this blocking rule.

EECN IP (EECN_IP)
May choose to block based on company policy. Contains IPs assigned to China and Eastern European countries that are not part of the European Union. These countries are often found in cyber-attacks seeking intellectual property or other sensitive or classified data and stealing credit card or financial information. Countries include Belarus, China, Moldova, Russian Federation, and Turkey. 

Extended Base and Anti-Malware Hostnames (Ext_Base_AntiMalware)
Suspicious/malicious as destinations: An extension of the Base and AntiMalware feed that contains recently expired hostname indicators with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of these Base and Antimalware feed related domains and hosts may no longer be active.

Extended Ransomware IPs (Ext_Ransomware)
Suspicious/malicious as destinations: An extension of the Ransomware feed that contains recently expired Ransomware with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of the Ransomware related domains and hosts may no longer be active.

Extreme Block (IB_Extreme_Block)
This feed is designed to block the most malicious behaviors. This feed is not appropriate for most users, and is not recommended unless your specific environment has a unique need. Use at your own risk. It is a companion to the Extreme Log feed.

Extreme Log (IB_Extreme_Log)
This feed is designed to log potentially malicious indicators that are too low confidence to include in the Extreme Block list. This feed is not appropriate for most uses, and is not recommended unless your specific environment has a unique need. Use at your own risk. It is a companion to the Extreme Block feed.

High Block (IB_High_Block)
This is a best practice feed to block possibly risky sites, and is for environments where it is more important to block potential malicious behavior than it is to avoid blocking the occasional non-malicious site. This is primarily used in environments where behavior is predictable, like server farms, point-of-sales terminals, etc. It is a companion to the High Log feed.

High Log (IB_Extreme_Log)
This is a best practice feed to log potentially malicious behavior. While these feeds are the most sensitive to blocking malicious behavior, these indicators still have a confidence level that run the risk of occasionally blocking benign sites. It is a companion to the High Block feed.

Low Block (IB_Low_Block)
This is a best practice feed to block malicious sites for organizations that are more concerned about accidental blocks than allowing the occasional threat. Examples: Service Providers, Universities, Public WiFi Access Points

Low Log (IB_Low_Log)
This is a best practice feed to log potentially malicious sites for organizations that are more concerned about accidental blocks than allowing the occasional threat. This is a companion to the Low Block feed.

Malware DGA Hostnames (Malware_DGA)
Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori.

Med Block (IB_Med_Block)
This is a best practice feed to block malicious sites that is balanced in its approach regarding threat enforcement. It is appropriate for most organizations. It is a companion feed to the Medium Log feed.

Med Log (IB_Med_Log)
This is a best practice feed to log potentially malicious sites. It logs malicious behavior that is suspicious, but does not have a confidence score high enough to warrant blocking. It is a companion to the Medium Block feed.

NOED  (New_Observed_Emergent_Domains)
The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally.

Ransomware
Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.

Suspicious Domains (Suspicious_Domains)
The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent. 

Suspicious Emergent Domains (Suspicious_NOED)
 The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern.

Suspicious Lookalike Domains (Suspicious_Lookalikes)
The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.

TOR Exit Node IPs (TOR_Exit_Node_IP)
Tor Exit Nodes are the gateways where encrypted Tor traffic hits the Internet. This means an exit node can be used to monitor Tor traffic (after it leaves the onion network). It is in the design of the Tor network that locating the source of that traffic through the network should be difficult to determine.

US OFAC Sanctions IP Embargoed IPs  (US_OFAC_Sanctions_IP_Embargoed)
The US OFAC Sanctions IP feed can be blocked based on company policy. The feed blocks nations that are embargoed (Cuba, Iran, Myanmar, North Korea, Syria, and Venezuela). More information can be found by visiting the “Sanctions Programs and Country Information” page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

US OFAC Sanctions High IPs (US_OFAC_Sanctions_High)
The US OFAC Sanctions High IP feed can be blocked based on company policy. This feed blocks all of the nations in the embargoed list, plus the following: Belarus, Cambodia, Central African Republic, China, Democratic Republic of Congo, Iraq, Libya, Macao, Russia, and Yemen. Contains IP's assigned to United States high-risk sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC). The Treasury Department's Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. More information can be found by visiting the "Sanctions Programs and Country Information" page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

US OFAC Sanctions Med IPs (US_OFAC_Sanctions_IP_Med)
The US OFAC Sanctions Med IP feed contains IPs assigned to United States sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC).The Sanctions Med IP feed is dynamic and is determined by what countries currently comprise the OFAC's list of sanctioned countries. Organizations may choose to block based on company policy. The Treasury Department’s Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. More information can be found by visiting the “Sanctions Programs and Country Information” page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

Infoblox Base 
Infoblox Base feed enables protection against known malicious or compromised domains. This includes known Malware, Ransomware, APTs, exploit kits, malicious Name Servers, sinkholes etc. Infoblox recommends blocking these threats for all users.

Infoblox Base IP
Infoblox Base IP feed enables protection against known malicious or compromised IP addresses. These IPs are known infrastructure to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites. We recommend blocking these threats for all users.

Infoblox High Risk
Infoblox High Risk feed includes domains that are not confirmed yet but are highly suspicious. It's very likely to be used in a malicious act at some point. These domains though unconfirmed carry high threat and high confidence, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicous NOED (Newly Observed Emergent Domains) with high combined score of threat and confidence levels. 

Infoblox Medium Risk
Infoblox Medium Risk feed includes domains that are not confirmed yet but still pose medium risk. They are suspicious domains with lower combined score of Threat and Confidence level than High Risk feed but higher than Low Risk feed. It's still could likely be used in a malicious act, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with medium combined score of threat and confidence levels.

Infoblox Low Risk
Infoblox Low Risk feed includes domains that are not confirmed yet but are still suspicious. It's possible it can be used in a malicious act. These domains carry a lower combined score of threat and confidence levels. Its recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with lower combined score of threat and low levels.

Infoblox Informational
Infoblox Informational feed includes domains with low threat and confidence levels. These are for informational use per policy and sensitivity of the environment. This feed carries Newly Observed Emergent Domains (NOED). It's recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments (as new domains are not mission critical for the most part and best to enable them when they are established for a longer time).

.