Enrichments
ThreatFox
ThreatFox (IOC Feed)
ThreatFox is a free threat intelligence platform from abuse.ch that provides indicators of compromise (IOCs) including malicious IPs, domains, URLs, and file hashes associated with malware and botnets.
Features
- Malware IOCs: IP addresses and domains associated with malware families
- Botnet C2: Command and control infrastructure indicators
- Hash Indicators: MD5 and SHA256 hashes of malicious files
- Confidence Scoring: Each IOC includes a confidence level (0-100)
- Updated Frequently: New indicators added continuously
- Free with Optional API Key: Higher rate limits with registration
Data Fields Added
When ThreatFox is enabled, logs matching IOCs will have these fields populated:
| Field | Description |
|---|---|
ioc_src_ip_threat_type / ioc_dest_ip_threat_type | Threat category (e.g., "botnet_cc", "payload_delivery") |
ioc_src_ip_malware / ioc_dest_ip_malware | Malware family name (e.g., "Cobalt Strike", "Emotet") |
ioc_src_ip_confidence / ioc_dest_ip_confidence | Confidence level (0-100) |
ioc_domain_threat_type | Threat type for matched domains |
ioc_domain_malware | Malware family for matched domains |
ioc_hash_threat_type | Threat type for matched file hashes |
ioc_hash_malware | Malware family for matched hashes |
See Field Reference for the complete IOC field list.
Setting Up ThreatFox
- Navigate to Marketplace in the left sidebar
- Search for ThreatFox or find it in the Data tab
- Optional: Enter an API key for higher rate limits
- Register at threatfox.abuse.ch to get a free API key
- Configure TTL (time-to-live) for IOCs (default: 7 days)
- Set Sync Interval (default: every 6 hours)
- Click Save, then Sync Now
- Toggle Enabled to activate
Using ThreatFox Data in Queries
Find traffic to known malware infrastructure:
ioc_dest_ip_threat_type != "" OR ioc_domain_threat_type != ""Filter by malware family:
ioc_src_ip_malware = "Cobalt Strike" OR ioc_dest_ip_malware = "Cobalt Strike"High confidence IOC matches:
ioc_src_ip_confidence > 80 OR ioc_dest_ip_confidence > 80Botnet C2 communication:
ioc_dest_ip_threat_type = "botnet_cc"Any IOC match (source or destination):
ioc_src_ip_threat_type != "" OR ioc_dest_ip_threat_type != ""Specific threat types:
ioc_dest_ip_threat_type IN ("botnet_cc", "payload_delivery")Detection Rule Examples
Malware C2 Communication:
name: "ThreatFox IOC Match"
description: "Detects traffic to known malware infrastructure"
query: |
ioc_dest_ip_threat_type != ""
OR ioc_domain_threat_type != ""
severity: highHigh Confidence Threat:
name: "High Confidence IOC Match"
description: "Detects high-confidence IOC matches from ThreatFox"
query: |
ioc_src_ip_confidence > 80
OR ioc_dest_ip_confidence > 80
severity: criticalNext Steps
- TOR Exit Nodes — Detect anonymized traffic
- Field Reference — Complete IOC field reference
- Troubleshooting — Fix ThreatFox issues