This notebook will cover analysis of publicly exposed AWS S3 honeybucket logs using various features of msticpy. We will start with how to acquire the data/logs by registering with free third party community service. Once we acquired the logs, we cover how to parse the logs and convert them into strctured format in order to do further analysis. After the data is prepared, we will perform data exploration using pandas to extract some key insights followed by data analysis and data visualization using various built-in msticpy features.
Dataset is retrieved using third party service BreachInsider which lets you create AWS S3 Honeybucket for free and alerts you whenever someone accesses it.
You can read more about the service in the blog Honey Buckets — Find out who is snooping through your Amazon S3 buckets.
Whenever someone discovers and accesses this honeybucket, you will get email notification with link to dashboard.
When you click on an alert received in an email, it shows you all the historical logs on single page. We registered a honeybucket named microsoft-devtest
in 2020-02-07 23:02 UTC
to collect some telemetry.
All of the logs from the dashboard are stored in a text file AWSHoneyBucketLogs.txt
Even though the logs are available in central location, unfortunately they are not in strucutured json file so we have to clean and prepare data in order to do the analysis. We can use powerful data analysis features of python to format and prepare the data for analysis.
Sample alert from the central link shown as below.
AWS Request Details
Event Type
AwsApiCall
Event Name
ListObjects
Request ID
CD5DFA0584AAC93D
Request User Agent
Ruby
User ID
{'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'}
Request Parameters
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com'}
Alert #3 – 2020-02-11T03:33:15Z
Event ID: ccfe0554-89cf-42c8-931a-ac1e5ee6b30c
Event DateTime
2020-02-11T03:33:15Z
Alarm DateTime
2020-02-11T03:35:42.025640+00:00
Source IP
34.68.153.199
Request User Agent
python-requests/2.22.0
Repeated Attempts
1
As you can see the data is not structured and can not be used for analysis. Below are summary of data cleaning steps performed.
import json
import re
import pprint
from IPython.display import display, HTML
import matplotlib
import squarify
import matplotlib.pyplot as plt
%matplotlib inline
REQ_PYTHON_VER=(3, 6)
REQ_MSTICPY_VER=(1, 4, 4)
display(HTML("<h3>Starting Notebook setup...</h3>"))
# If not using Azure Notebooks, install msticpy with
# !pip install msticpy
from msticpy import init_notebook
extra_imports = [
"msticpy.sectools.ip_utils, convert_to_ip_entities",
"msticpy.nbtools, entityschema",
"msticpy.nbtools.ti_browser, browse_results",
"msticpy.sectools.ip_utils, get_whois_info",
"msticpy.sectools.geoip, GeoLiteLookup",
"msticpy.nbtools.foliummap, FoliumMap",
"msticpy.nbtools.foliummap, get_map_center",
]
init_notebook(
namespace=globals(),
additional_packages=["squarify"],
extra_imports=extra_imports,
);
All packages are already installed
# Specify the input log filename
logfile_name = './data/AWS_Honeybucket_Logs.txt'
with open(logfile_name, 'r') as f:
input_logs= f.read()
print(f"Total no of lines in the log file: {len(input_logs)}")
# Display first 20 lines from a log file
display(HTML("<h4>Displaying preview of logfile...</h4>"))
logs_preview = "\n".join(input_logs.splitlines()[:20])
print(logs_preview)
Total no of lines in the log file: 163686
Breach Insider can help detect your business's next data breach. We know when your most critical asset – your customers' information – has made it into the wrong hands. Find Out How 🍯 microsoft-devtest Created: 2020-02-07 23:02 UTC Alert #264 – 2022-01-31T18:21:55Z Event ID: eb33cdca-78ea-42c1-a008-0176b61d2ddf Event DateTime 2022-01-31T18:21:55Z Alarm DateTime 2022-01-31T18:26:33.633682+00:00 Source IP 212.83.184.13 Request User Agent Boto3/1.17.40 Python/3.6.12 Linux/3.10.0-1160.6.1.el7.x86_64 Botocore/1.20.112 Repeated Attempts 1
def clean_logfile(logfile_name):
"Function to spllit each alert and find and replace to create dictionary like key-value pairs"
print("Splitting individiual alerts...")
s3log_records = re.split("AWS Request Details", input_logs)
s3clean_logs = []
print("Find and replace the data into clean unified format...")
# Excluding first and last event which are not access alerts
for logs in s3log_records[1:-1]:
logs = re.sub("Event Type\n", "Event Type:", logs)
logs = re.sub("Event Name\n", "Event Name:", logs)
logs = re.sub("Request ID\n", "Request ID:", logs)
logs = re.sub("Request User Agent\n", "Request User Agent:", logs)
logs = re.sub("User ID\n", "User ID:", logs)
logs = re.sub("Request Parameters\n", "Request Parameters:", logs)
logs = re.sub("Alert #", "Alert: ", logs)
logs = re.sub("Event ID: ", "Event ID:", logs)
logs = re.sub("Event DateTime\n", "Event DateTime:", logs)
logs = re.sub("Alarm DateTime\n", "Alarm DateTime:", logs)
logs = re.sub("Source IP\n", "Source IP:", logs)
logs = re.sub("Repeated Attempts\n", "Repeated Attempts:", logs)
logs = re.sub("Request User Agent:.*", "", logs, 1)
logs = re.sub("Error Code", "", logs, 1)
logs = re.sub("AccessDenied", "", logs, 1)
logs = re.sub("Error Message", "", logs, 1)
logs = re.sub("Access Denied", "", logs, 1)
s3clean_logs.append(logs)
return s3clean_logs
def create_dicts(clean_logfile):
"Function to create key value pairs and return list of json records"
list_of_json_records = []
print("\nCreating dictionary pairs from clean dataset...")
for event in clean_logfile:
clean_logfile = event.split("\n")
# remove empty strings
clean_logfile = [i for i in clean_logfile if i]
parsed_dict = {}
for line in clean_logfile:
# Creating key value pairs and adding to dictionary
key, value = line.split(":", 1)
parsed_dict[key] = value
list_of_json_records.append(parsed_dict)
return list_of_json_records
display(HTML("<h4>Cleaning log file and creating structured json file...</h4>"))
s3clean_logs = clean_logfile(logfile_name)
list_of_json_records = create_dicts(s3clean_logs)
print(f"\nTotal no of Alerts from original logs: {len(list_of_json_records)}")
display(HTML("<h4>Displaying sample alert post cleaning...</h4>"))
pprint.pprint(list_of_json_records[0])
Splitting individiual alerts... Find and replace the data into clean unified format... Creating dictionary pairs from clean dataset... Total no of Alerts from original logs: 262
{'Alarm DateTime': '2022-01-31T14:39:09.605190+00:00', 'Alert': ' 263 – 2022-01-31T14:38:27Z', 'Event DateTime': '2022-01-31T14:38:27Z', 'Event ID': '7e75ac66-2d6f-4a2c-8921-489be88c65b1', 'Event Name': 'ListObjects', 'Event Type': 'AwsApiCall', 'Repeated Attempts': '1', 'Request ID': 'DBHD1NBK6P65FE8B', 'Request Parameters': "{'list-type': '2', 'bucketName': 'microsoft-devtest', " "'Host': 'microsoft-devtest.s3.amazonaws.com', " "'encoding-type': 'url'}", 'Request User Agent': 'Boto3/1.17.40 Python/3.6.12 ' 'Linux/3.10.0-1160.6.1.el7.x86_64 Botocore/1.20.112', 'Source IP': '212.83.184.14', 'User ID': "{'type': 'AWSAccount', 'principalId': '', 'accountId': " "'ANONYMOUS_PRINCIPAL'}"}
#Load list of JSON records into dataframe
df = pd.DataFrame(list_of_json_records)
df.head()
Event Type | Event Name | Request ID | User ID | Request Parameters | Alert | Event ID | Event DateTime | Alarm DateTime | Source IP | Request User Agent | Repeated Attempts | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | AwsApiCall | ListObjects | DBHD1NBK6P65FE8B | {'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'} | {'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.co... | 263 – 2022-01-31T14:38:27Z | 7e75ac66-2d6f-4a2c-8921-489be88c65b1 | 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | Boto3/1.17.40 Python/3.6.12 Linux/3.10.0-1160.6.1.el7.x86_64 Botocore/1.20.112 | 1 |
1 | AwsApiCall | ListObjects | YRJ65RPXZNGK7VQH | {'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'} | {'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.co... | 262 – 2022-01-31T03:54:25Z | 155a578b-56df-4159-84de-df7d57ddf26c | 2022-01-31T03:54:25Z | 2022-01-31T03:58:26.275480+00:00 | 88.218.82.128 | Java/1.8.0_201 | 1 |
2 | AwsApiCall | HeadBucket | JYSHBKCE4J9DS8K5 | {'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'} | {'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com'} | 261 – 2022-01-30T18:28:31Z | 42dd41f1-93cb-4085-8342-c7b4ec499a79 | 2022-01-30T18:28:31Z | 2022-01-30T18:29:57.302040+00:00 | 212.83.184.16 | Boto3/1.17.40 Python/3.6.12 Linux/3.10.0-1160.6.1.el7.x86_64 Botocore/1.20.112 | 1 |
3 | AwsApiCall | ListObjects | 66PHY3JF14ANGJH8 | {'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'} | {'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.co... | 260 – 2022-01-30T14:28:44Z | 33143f5e-4d85-4827-b1c8-1900763febba | 2022-01-30T14:28:44Z | 2022-01-30T14:32:14.020955+00:00 | 212.83.184.15 | Boto3/1.17.40 Python/3.6.12 Linux/3.10.0-1160.6.1.el7.x86_64 Botocore/1.20.112 | 1 |
4 | AwsApiCall | ListObjects | PCM2P7FSY5DFW99M | {'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'} | {'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.co... | 259 – 2022-01-29T18:03:13Z | dff8e5ab-baa3-43ff-8023-596064565ef4 | 2022-01-29T18:03:13Z | 2022-01-29T18:07:30.430153+00:00 | 212.83.184.15 | Boto3/1.17.40 Python/3.6.12 Linux/3.10.0-1160.6.1.el7.x86_64 Botocore/1.20.112 | 1 |
In this step, we will perform data enrichments on IP address to populate additional details such as GeoIP, Whois registrar, ASN and Threat Intel lookups using OpenSource TI providers (IBM Xforce, Alienvault OTX). Both providers has generous API limits hence it was selected to do lookups on over 200 Ips.
In this step, we will use msticpy geolocation capabilities using maxmind database. You will need maxmind API key to download the database.
iplocation = GeoLiteLookup()
df_enriched = iplocation.df_lookup_ip(df, column="Source IP")
display_columns = [
"Alert",
"Alarm DateTime",
"Source IP",
"CountryCode",
"CountryName",
"State",
"City",
]
# Display preview with new enriched fields
df_enriched[display_columns].head()
Alert | Alarm DateTime | Source IP | CountryCode | CountryName | State | City | |
---|---|---|---|---|---|---|---|
0 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | FR | France | Île-de-France | Nogent-sur-Marne |
1 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | FR | France | Île-de-France | Nogent-sur-Marne |
2 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | FR | France | Île-de-France | Nogent-sur-Marne |
3 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | FR | France | Île-de-France | Nogent-sur-Marne |
4 | 262 – 2022-01-31T03:54:25Z | 2022-01-31T03:58:26.275480+00:00 | 88.218.82.128 | LA | Laos | Vientiane Prefecture | Vientiane |
In this step, we can perform whois lokup on all public Source ips and populate additional information such as ASN. This step can take from 12-15 mins as it will process 213 Ips You can use this output to further filter known ASNs from the results.
num_ips = len(df_enriched["Source IP"].unique())
print(f"Performing WhoIs lookups for {num_ips} IPs ", end="")
df_enriched["SourceASN"] = df_enriched.apply(
lambda x: get_whois_info(x["Source IP"], True), axis=1
)
df_enriched["SourceASNFull"] = df_enriched.apply(lambda x: x.SourceASN[1], axis=1)
df_enriched["SourceASN"] = df_enriched.apply(lambda x: x.SourceASN[0], axis=1)
display_columns = [
"Alert",
"Alarm DateTime",
"Source IP",
"SourceASN",
"CountryCode",
"CountryName",
"State",
"City",
]
# Display results
df_enriched[display_columns].head()
Performing WhoIs lookups for 212 IPs ....................................................................................................................................................................................................................
Alert | Alarm DateTime | Source IP | SourceASN | CountryCode | CountryName | State | City | |
---|---|---|---|---|---|---|---|---|
0 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | Online SAS, FR | FR | France | Île-de-France | Nogent-sur-Marne |
1 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | Online SAS, FR | FR | France | Île-de-France | Nogent-sur-Marne |
2 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | Online SAS, FR | FR | France | Île-de-France | Nogent-sur-Marne |
3 | 263 – 2022-01-31T14:38:27Z | 2022-01-31T14:39:09.605190+00:00 | 212.83.184.14 | Online SAS, FR | FR | France | Île-de-France | Nogent-sur-Marne |
4 | 262 – 2022-01-31T03:54:25Z | 2022-01-31T03:58:26.275480+00:00 | 88.218.82.128 | M247, GB | LA | Laos | Vientiane Prefecture | Vientiane |
In this step, we can perform threatintel lookup using msticpy and open source TI providers such as IBM Xforce, VirusTotal, Greynoise etc.
Below example shows performing lookup on single IP as well as bulk lookup on all ips using IBM Xforce TI Provider.
You will need to register with IBM Xforce and enter API keys into mstipyconfig.yaml
ti_lookup = TILookup()
# Perform lookup on single IOC
result = ti_lookup.lookup_ioc(observable="212.83.184.14", providers=["XForce"])
ti_lookup.result_to_df(result)
Ioc | IocType | QuerySubtype | Provider | Result | Severity | Details | RawResult | Reference | Status | |
---|---|---|---|---|---|---|---|---|---|---|
XForce | 212.83.184.14 | ipv4 | None | XForce | True | information | {'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're... | {'ip': '212.83.184.14', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional ... | https://api.xforce.ibmcloud.com/ipr/212.83.184.14 | 0 |
# Flattening all the desnation IPs into comma separated list
ip_list = df_enriched["Source IP"].astype(str).values.flatten().tolist()
# Perform bulk lookup on all IPs with specified providers
ti_resp = ti_lookup.lookup_iocs(data=ip_list, providers=["OTX", "XForce"])
select_ti = browse_results(ti_resp, severities=['high'])
select_ti
VBox(children=(Text(value="103.70.198.81 type: ipv4 (sev: high) providers: …
OTX | |
pulse_count | 50 |
names | ["Ka's Honeypot visitors", 'LCIA:HoneyNet:January 2022', 'LCIA:HoneyNet:2022', 'LCIA:HoneyNet:January 2022', 'LCIA:HoneyNet:2022', 'Honeypot Hits (2022-01-04)', 'AWS (AU-Sydney) MySQL Bruteforce Hosts for 2022-01-03', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2022-01-03', 'FTP - US Honeypot IoCs 2022-02-02', 'Honeypot Hits (2022-02-02)', 'IOCs - 2022111350', 'IOCs - 2022111344 - ANIA Threat Feeds - IP Segment 0', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2021-12-31', 'LCIA:HoneyNet:2021', 'LCIA:HoneyNet:2021', 'LCIA:HoneyNet:December 2021', 'LCIA:HoneyNet:December 2021', 'IOCs - 20211231536', 'IOCs - 20211231531 - ANIA Threat Feeds - IP Segment 0', 'IOCs - 20221291346 - ANIA Threat Feeds - IP Segment 5', 'IOCs - 20221291346 - ANIA Threat Feeds - IP Segment 4', 'IOCs - 20221291345 - ANIA Threat Feeds - IP Segment 3', 'IOCs - 20221291345 - ANIA Threat Feeds - IP Segment 1', 'IOCs - 20221291350', 'PostgresQL honeypot logs for 2022-01-29', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2022-01-28', 'AWS (India-Mumbai) MySQL Bruteforce Hosts for 2022-01-27', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2022-01-26', 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts for 2022-01-25', 'AWS (India-Mumbai) MySQL Bruteforce Hosts for 2022-01-25', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2022-01-25', 'AWS (AU-Sydney) MySQL Bruteforce Hosts for 2021-12-26', 'Honeypot Hits (2022-01-25)', 'PostgresQL honeypot logs for 2022-01-24', 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts for 2022-01-23', 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts for 2021-12-24', 'AWS (AU-Sydney) MySQL Bruteforce Hosts for 2022-01-23', 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts for 2022-01-22', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2022-01-22', 'FTP - US Honeypot IoCs 2021-12-22', 'PostgresQL honeypot logs for 2022-01-20', 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts for 2021-12-20', 'AWS (India-Mumbai) MySQL Bruteforce Hosts for 2022-01-18', 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts for 2021-12-19', 'AWS (BA-Bahrain) MySQL Bruteforce Hosts for 2022-01-17', 'Honeypot Hits (2021-12-17)', 'PostgresQL honeypot logs for 2022-01-16', 'AWS (AU-Sydney) MySQL Bruteforce Hosts for 2022-01-15', '2021-12-16 dionaea honeypot 353563f7-2182-4a0a-926f-8b2fd4403246', 'nmap Scanning Hosts for 2021-12-15'] |
tags | [['SSH', 'scanner', 'attack', 'login', 'Telnet'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], [], ['awsau', 'mysql', 'bruteforce', 'honeypot'], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], ['honeypot', 'ftp', 'dionaea'], [], [], [], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], ['tsec', 'tpot19', 'honeypot', 'la-safe.org'], [], [], [], [], [], [], [], ['postgres', 'honeypot'], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], ['awsindia', 'mysql', 'bruteforce', 'honeypot'], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], ['awssafrica', 'mysql', 'bruteforce', 'honeypot'], ['awsindia', 'mysql', 'bruteforce', 'honeypot'], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], ['awsau', 'mysql', 'bruteforce', 'honeypot'], [], ['postgres', 'honeypot'], ['awssafrica', 'mysql', 'bruteforce', 'honeypot'], ['awsjap', 'mysql', 'bruteforce', 'honeypot'], ['awsau', 'mysql', 'bruteforce', 'honeypot'], ['awssafrica', 'mysql', 'bruteforce', 'honeypot'], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], ['honeypot', 'ftp', 'dionaea'], ['postgres', 'honeypot'], ['awsjap', 'mysql', 'bruteforce', 'honeypot'], ['awsindia', 'mysql', 'bruteforce', 'honeypot'], ['awsjap', 'mysql', 'bruteforce', 'honeypot'], ['awsbah', 'mysql', 'bruteforce', 'honeypot'], [], ['postgres', 'honeypot'], ['awsau', 'mysql', 'bruteforce', 'honeypot'], ['honeypot', 'dionaea'], ['nmap', 'port-scan', 'honeypot']] |
references | [[], [], [], [], [], [], ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-03/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-03/', 'https://jamesbrine.com.au'], [], [], [], [], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2021-12-31/', 'https://jamesbrine.com.au'], [], [], [], [], [], [], [], [], [], [], [], [], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-28/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-27/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-26/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-25/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-25/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-25/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2021-12-26/', 'https://jamesbrine.com.au'], [], [], ['https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-23/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-24/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-23/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-22/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-22/', 'https://jamesbrine.com.au'], [], [], ['https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-20/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-18/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-19/', 'https://jamesbrine.com.au'], ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-17/', 'https://jamesbrine.com.au'], [], [], ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-15/', 'https://jamesbrine.com.au'], [], ['https://jamesbrine.com.au/bruteforce-files-list-2021-12-15/', 'https://jamesbrine.com.au']] |
{'accuracy_radius': 1000,
'area_code': 0,
'asn': 'AS15169 GOOGLE',
'base_indicator': {'access_reason': '',
'access_type': 'public',
'content': '',
'description': '',
'id': 3248081298,
'indicator': '35.233.62.116',
'title': '',
'type': 'IPv4'},
'charset': 0,
'city': 'Brussels',
'city_data': True,
'continent_code': 'EU',
'country_code': 'BE',
'country_code2': 'BE',
'country_code3': 'BEL',
'country_name': 'Belgium',
'dma_code': 0,
'false_positive': [],
'flag_title': 'Belgium',
'flag_url': '/assets/images/flags/be.png',
'indicator': '35.233.62.116',
'latitude': 50.8336,
'longitude': 4.3337,
'postal_code': '1060',
'pulse_info': {'count': 50,
'pulses': [{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '56464',
'is_following': False,
'is_subscribed': False,
'username': 'Kapppppa'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-02-16T13:14:16.945000',
'description': 'Logs of IP trying to hack into my '
'Particle Photon and Cloud Honeypot '
'instance',
'downvotes_count': 0,
'export_count': 2108,
'follower_count': 0,
'groups': [],
'id': '602bc528f447d628d41494f2',
'in_group': False,
'indicator_count': 4451,
'indicator_type_counts': {'IPv4': 4451},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-04T15:45:51.766000',
'modified_text': '1 minute ago ',
'name': "Ka's Honeypot visitors",
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 359,
'tags': ['SSH',
'scanner',
'attack',
'login',
'Telnet'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '111524',
'is_following': False,
'is_subscribed': False,
'username': 'ladarrellmiller'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T06:00:20.835000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2022 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61cfedf45bd67c2aafe44271',
'in_group': False,
'indicator_count': 17943,
'indicator_type_counts': {'IPv4': 17943},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-04T15:00:09.508000',
'modified_text': '46 minutes ago ',
'name': 'LCIA:HoneyNet:January 2022',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 124,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '111524',
'is_following': False,
'is_subscribed': False,
'username': 'ladarrellmiller'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T06:00:22',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2022 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61cfedf696392d4eedca0ae6',
'in_group': False,
'indicator_count': 17918,
'indicator_type_counts': {'IPv4': 17918},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-04T15:00:09.508000',
'modified_text': '46 minutes ago ',
'name': 'LCIA:HoneyNet:2022',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 125,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '132921',
'is_following': False,
'is_subscribed': False,
'username': 'dm_lacia'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T06:00:24.325000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2022 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61cfedf85b4abc76c011f453',
'in_group': False,
'indicator_count': 17918,
'indicator_type_counts': {'IPv4': 17918},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-04T15:00:09.508000',
'modified_text': '46 minutes ago ',
'name': 'LCIA:HoneyNet:January 2022',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 99,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '132921',
'is_following': False,
'is_subscribed': False,
'username': 'dm_lacia'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T06:00:25.285000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2022 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 17,
'follower_count': 0,
'groups': [],
'id': '61cfedf9ba67254000a91c93',
'in_group': False,
'indicator_count': 17550,
'indicator_type_counts': {'IPv4': 17550},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-04T15:00:09.508000',
'modified_text': '46 minutes ago ',
'name': 'LCIA:HoneyNet:2022',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 100,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '45974',
'is_following': False,
'is_subscribed': False,
'username': 'Ozark046'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-04T16:46:31.905000',
'description': '',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61d479e7714fddc557101470',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-03T16:04:12.606000',
'modified_text': '23 hours ago ',
'name': 'Honeypot Hits (2022-01-04)',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 11,
'tags': [],
'targeted_countries': ['United States of America'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-04T08:00:03.749000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61d3fe83ebf3c87d64b39bad',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-03T08:00:58.262000',
'modified_text': '1 day ago ',
'name': 'AWS (AU-Sydney) MySQL Bruteforce Hosts '
'for 2022-01-03',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-03/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsau',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Australia'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-04T08:05:07.645000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61d3ffb30c742a0d8fe12464',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-03T08:00:58.262000',
'modified_text': '1 day ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2022-01-03',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-03/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 326,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_57320/resized/80/avatar_4894047112.png',
'id': '57320',
'is_following': False,
'is_subscribed': False,
'username': 'soothsayer'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-02-03T04:30:02.933000',
'description': 'Daily FTP honeypot logs from a '
'honeypot in the US on a /32',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61fb5a4b9aa2b0f20ef7cc1a',
'in_group': False,
'indicator_count': 11,
'indicator_type_counts': {'IPv4': 11},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-03T04:30:02.933000',
'modified_text': '1 day ago ',
'name': 'FTP - US Honeypot IoCs 2022-02-02',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['honeypot', 'ftp', 'dionaea'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '45974',
'is_following': False,
'is_subscribed': False,
'username': 'Ozark046'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-02-02T22:53:26.381000',
'description': '',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61fb0b66db08fd622ea4a2bb',
'in_group': False,
'indicator_count': 389,
'indicator_type_counts': {'IPv4': 389},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-02-02T22:53:26.381000',
'modified_text': '1 day ago ',
'name': 'Honeypot Hits (2022-02-02)',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 10,
'tags': [],
'targeted_countries': ['United States of America'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T21:51:03.951000',
'description': 'For complete list please visit '
'https://apd.altervista.org/',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61d0ccc7b49862d4b2032223',
'in_group': False,
'indicator_count': 24876,
'indicator_type_counts': {'FileHash-SHA1': 4600,
'FileHash-SHA256': 799,
'FilePath': 1866,
'Mutex': 1866,
'URI': 1866,
'URL': 11598,
'YARA': 1866,
'domain': 144,
'hostname': 271},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T21:02:01.450000',
'modified_text': '3 days ago ',
'name': 'IOCs - 2022111350',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 283,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T21:52:37.014000',
'description': 'ANIA Collector - Advanced Network '
'Interactive Analysis Collector - '
'Collected from Internet Storm '
'Center IOCs List',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61d0cd25889a9d71fa9e2d8f',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T21:02:01.450000',
'modified_text': '3 days ago ',
'name': 'IOCs - 2022111344 - ANIA Threat Feeds - '
'IP Segment 0',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-01T08:05:04.050000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61d00b30a2ff64106748e6ee',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T08:02:48.505000',
'modified_text': '4 days ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2021-12-31',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2021-12-31/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '111524',
'is_following': False,
'is_subscribed': False,
'username': 'ladarrellmiller'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-03-30T19:42:12.253000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2021 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 417,
'follower_count': 0,
'groups': [],
'id': '60637f141cda4877a64d0872',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T05:03:01.372000',
'modified_text': '4 days ago ',
'name': 'LCIA:HoneyNet:2021',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 194,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '132921',
'is_following': False,
'is_subscribed': False,
'username': 'dm_lacia'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-09-19T07:04:08.836000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2021 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 12,
'follower_count': 0,
'groups': [],
'id': '6146e0e8a6289a9c1b4cfcf7',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T05:03:01.372000',
'modified_text': '4 days ago ',
'name': 'LCIA:HoneyNet:2021',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 126,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '111524',
'is_following': False,
'is_subscribed': False,
'username': 'ladarrellmiller'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-01T06:00:33.090000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2021 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 3,
'follower_count': 0,
'groups': [],
'id': '61a70f813eceb582be551305',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T05:03:01.372000',
'modified_text': '4 days ago ',
'name': 'LCIA:HoneyNet:December 2021',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 131,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '132921',
'is_following': False,
'is_subscribed': False,
'username': 'dm_lacia'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-01T06:00:41.128000',
'description': 'Louisiana Cyber Investigators '
'Alliance (LCIA): HoneyPot Suricata '
'Log: 2021 A unified coordinated '
'group of federal, state, local law '
'enforcement, as well as LA ESF-17 '
'members, focused onsafeguarding '
"Louisiana's networks through "
'collaborative vigilance and '
'thorough investigations '
'http://www.la-safe.org',
'downvotes_count': 0,
'export_count': 6,
'follower_count': 0,
'groups': [],
'id': '61a70f8903f0b07629aa8abc',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-31T05:03:01.372000',
'modified_text': '4 days ago ',
'name': 'LCIA:HoneyNet:December 2021',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 108,
'tags': ['tsec',
'tpot19',
'honeypot',
'la-safe.org'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-31T13:38:40.637000',
'description': 'For complete list please visit '
'https://apd.altervista.org/',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61cf07e0cbed41eee43c1ca0',
'in_group': False,
'indicator_count': 25182,
'indicator_type_counts': {'FileHash-SHA1': 4600,
'FileHash-SHA256': 799,
'FilePath': 1909,
'Mutex': 1909,
'URI': 1909,
'URL': 11689,
'YARA': 1909,
'domain': 168,
'hostname': 290},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-30T13:00:17.588000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20211231536',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 282,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-31T13:40:41.324000',
'description': 'ANIA Collector - Advanced Network '
'Interactive Analysis Collector - '
'Collected from Internet Storm '
'Center IOCs List',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61cf0859fdb90e9d8c9f0499',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-30T13:00:17.588000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20211231531 - ANIA Threat Feeds - '
'IP Segment 0',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T22:01:52.364000',
'description': 'ANIA Collector - Advanced Network '
'Interactive Analysis Collector - '
'Collected from Internet Storm '
'Center IOCs List',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f5b950074eb942434abcb0',
'in_group': False,
'indicator_count': 44728,
'indicator_type_counts': {'IPv4': 44728},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T22:01:52.364000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20221291346 - ANIA Threat Feeds - '
'IP Segment 5',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T22:00:29.967000',
'description': 'ANIA Collector - Advanced Network '
'Interactive Analysis Collector - '
'Collected from Internet Storm '
'Center IOCs List',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f5b8fd4c36a01642d12427',
'in_group': False,
'indicator_count': 24164,
'indicator_type_counts': {'IPv4': 24164},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T22:00:29.967000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20221291346 - ANIA Threat Feeds - '
'IP Segment 4',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T21:59:10.696000',
'description': 'ANIA Collector - Advanced Network '
'Interactive Analysis Collector - '
'Collected from Internet Storm '
'Center IOCs List',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f5b8ae499e425c10eea05c',
'in_group': False,
'indicator_count': 11382,
'indicator_type_counts': {'IPv4': 11382},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T21:59:10.696000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20221291345 - ANIA Threat Feeds - '
'IP Segment 3',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T21:56:38.118000',
'description': 'ANIA Collector - Advanced Network '
'Interactive Analysis Collector - '
'Collected from Internet Storm '
'Center IOCs List',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f5b816ab1ca63a3f67712b',
'in_group': False,
'indicator_count': 20153,
'indicator_type_counts': {'IPv4': 20153},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T21:56:38.118000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20221291345 - ANIA Threat Feeds - '
'IP Segment 1',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png',
'id': '91912',
'is_following': False,
'is_subscribed': False,
'username': 'AlessandroFiori'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T21:53:13.277000',
'description': 'For complete list please visit '
'https://apd.altervista.org/',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61f5b749e6036d825b4f9edc',
'in_group': False,
'indicator_count': 36147,
'indicator_type_counts': {'FileHash-SHA1': 4642,
'FileHash-SHA256': 798,
'FilePath': 1874,
'IPv4': 10811,
'Mutex': 1874,
'URI': 1874,
'URL': 11949,
'YARA': 1874,
'domain': 183,
'hostname': 268},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T21:53:13.277000',
'modified_text': '5 days ago ',
'name': 'IOCs - 20221291350',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 281,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen '
'Shot 2016-07-24 at '
'12.24.30 PM.png',
'id': '14926',
'is_following': False,
'is_subscribed': False,
'username': 'jnazario'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T15:23:09.965000',
'description': 'PostgresQL honeypot authentication '
'attempts from a US /32',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f55bddec75279b229bc2ac',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T15:23:09.965000',
'modified_text': '6 days ago ',
'name': 'PostgresQL honeypot logs for 2022-01-29',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 1589,
'tags': ['postgres', 'honeypot'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-29T08:05:04.127000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f4f53016d337651b5394dd',
'in_group': False,
'indicator_count': 1,
'indicator_type_counts': {'IPv4': 1},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-29T08:05:04.127000',
'modified_text': '6 days ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2022-01-28',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-28/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-28T08:25:04.193000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f3a860ef11e9ebf1a1050f',
'in_group': False,
'indicator_count': 1,
'indicator_type_counts': {'IPv4': 1},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-28T08:25:04.193000',
'modified_text': '7 days ago ',
'name': 'AWS (India-Mumbai) MySQL Bruteforce Hosts '
'for 2022-01-27',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-27/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsindia',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['India'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-27T08:05:04',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f252304548dc8064a4f986',
'in_group': False,
'indicator_count': 1,
'indicator_type_counts': {'IPv4': 1},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-27T08:05:04',
'modified_text': '8 days ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2022-01-26',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-26/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-26T08:30:03.508000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f1068baee4a4355bbde6ce',
'in_group': False,
'indicator_count': 3,
'indicator_type_counts': {'IPv4': 3},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-26T08:30:03.508000',
'modified_text': '9 days ago ',
'name': 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts '
'for 2022-01-25',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-25/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awssafrica',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['South Africa'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-26T08:25:04.416000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f105608cc32b3345012340',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-26T08:25:04.416000',
'modified_text': '9 days ago ',
'name': 'AWS (India-Mumbai) MySQL Bruteforce Hosts '
'for 2022-01-25',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-25/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsindia',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['India'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-26T08:05:03.090000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f100afffd677be91942dd8',
'in_group': False,
'indicator_count': 4,
'indicator_type_counts': {'IPv4': 4},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-26T08:05:03.090000',
'modified_text': '9 days ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2022-01-25',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-25/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-27T08:00:04.235000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61c972848947b7dbfcb208cf',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-26T08:01:32.111000',
'modified_text': '9 days ago ',
'name': 'AWS (AU-Sydney) MySQL Bruteforce Hosts '
'for 2021-12-26',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2021-12-26/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsau',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Australia'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '45974',
'is_following': False,
'is_subscribed': False,
'username': 'Ozark046'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-25T22:18:42.125000',
'description': '',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61f07742109a343981a1b0a2',
'in_group': False,
'indicator_count': 377,
'indicator_type_counts': {'IPv4': 377},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-25T22:18:42.125000',
'modified_text': '9 days ago ',
'name': 'Honeypot Hits (2022-01-25)',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 10,
'tags': [],
'targeted_countries': ['United States of America'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen '
'Shot 2016-07-24 at '
'12.24.30 PM.png',
'id': '14926',
'is_following': False,
'is_subscribed': False,
'username': 'jnazario'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-24T15:27:47.967000',
'description': 'PostgresQL honeypot authentication '
'attempts from a US /32',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61eec573b5accbe9e60eec0c',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-24T15:27:47.967000',
'modified_text': '11 days ago ',
'name': 'PostgresQL honeypot logs for 2022-01-24',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 1589,
'tags': ['postgres', 'honeypot'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-24T08:30:03.233000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61ee638b110ea437afb2d346',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-24T08:30:03.233000',
'modified_text': '11 days ago ',
'name': 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts '
'for 2022-01-23',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-23/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awssafrica',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['South Africa'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-25T08:18:03.788000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61c6d3bb5c6d6c0d303900b3',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-24T08:03:43.362000',
'modified_text': '11 days ago ',
'name': 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts '
'for 2021-12-24',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-24/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsjap',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Japan'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-24T08:00:03.763000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61ee5c83666f5325de820492',
'in_group': False,
'indicator_count': 3,
'indicator_type_counts': {'IPv4': 3},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-24T08:00:03.763000',
'modified_text': '11 days ago ',
'name': 'AWS (AU-Sydney) MySQL Bruteforce Hosts '
'for 2022-01-23',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-23/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsau',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Australia'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-23T08:30:03.344000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61ed120b42e71540c51cea4c',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-23T08:30:03.344000',
'modified_text': '12 days ago ',
'name': 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts '
'for 2022-01-22',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-22/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awssafrica',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['South Africa'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-23T08:05:04.665000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61ed0c30c456b6ea442e1b36',
'in_group': False,
'indicator_count': 3,
'indicator_type_counts': {'IPv4': 3},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-23T08:05:04.665000',
'modified_text': '12 days ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2022-01-22',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-22/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_57320/resized/80/avatar_4894047112.png',
'id': '57320',
'is_following': False,
'is_subscribed': False,
'username': 'soothsayer'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-23T04:30:03.238000',
'description': 'Daily FTP honeypot logs from a '
'honeypot in the US on a /32',
'downvotes_count': 0,
'export_count': 2,
'follower_count': 0,
'groups': [],
'id': '61c3fb4b5b4bab294d29a270',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-22T04:02:39.300000',
'modified_text': '13 days ago ',
'name': 'FTP - US Honeypot IoCs 2021-12-22',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['honeypot', 'ftp', 'dionaea'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen '
'Shot 2016-07-24 at '
'12.24.30 PM.png',
'id': '14926',
'is_following': False,
'is_subscribed': False,
'username': 'jnazario'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-20T15:20:48.487000',
'description': 'PostgresQL honeypot authentication '
'attempts from a US /32',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61e97dd0cbdd6e55c2a5e055',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-20T15:20:48.487000',
'modified_text': '15 days ago ',
'name': 'PostgresQL honeypot logs for 2022-01-20',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 1589,
'tags': ['postgres', 'honeypot'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-21T08:18:04.137000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61c18dbca80aeab6ce03fa0a',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-20T08:01:38.562000',
'modified_text': '15 days ago ',
'name': 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts '
'for 2021-12-20',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-20/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsjap',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Japan'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-19T08:25:02.424000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61e7cade1866c9786492ad1c',
'in_group': False,
'indicator_count': 1,
'indicator_type_counts': {'IPv4': 1},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-19T08:25:02.424000',
'modified_text': '16 days ago ',
'name': 'AWS (India-Mumbai) MySQL Bruteforce Hosts '
'for 2022-01-18',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-18/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsindia',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['India'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-20T08:18:03.636000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61c03c3b4187f3fd4bbd3de1',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-19T08:00:41.410000',
'modified_text': '16 days ago ',
'name': 'AWS (JAP-Tokyo) MySQL Bruteforce Hosts '
'for 2021-12-19',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-19/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsjap',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Japan'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-18T08:05:03.548000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61e674afe3af42912e6870d5',
'in_group': False,
'indicator_count': 3,
'indicator_type_counts': {'IPv4': 3},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-18T08:05:03.548000',
'modified_text': '17 days ago ',
'name': 'AWS (BA-Bahrain) MySQL Bruteforce Hosts '
'for 2022-01-17',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-17/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsbah',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Bahrain'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '45974',
'is_following': False,
'is_subscribed': False,
'username': 'Ozark046'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-17T17:18:30.059000',
'description': '',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61bcc6663863a6e361427735',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-16T17:02:36.654000',
'modified_text': '18 days ago ',
'name': 'Honeypot Hits (2021-12-17)',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 10,
'tags': [],
'targeted_countries': ['United States of America'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen '
'Shot 2016-07-24 at '
'12.24.30 PM.png',
'id': '14926',
'is_following': False,
'is_subscribed': False,
'username': 'jnazario'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-16T15:25:04.817000',
'description': 'PostgresQL honeypot authentication '
'attempts from a US /32',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61e438d03fce4c26a836a998',
'in_group': False,
'indicator_count': 1,
'indicator_type_counts': {'IPv4': 1},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-16T15:25:04.817000',
'modified_text': '19 days ago ',
'name': 'PostgresQL honeypot logs for 2022-01-16',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 1590,
'tags': ['postgres', 'honeypot'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2022-01-16T08:00:04.033000',
'description': 'IPV4 hosts detected attempting to '
'brute force MySQL on private '
'honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61e3d08414aff53714bb0319',
'in_group': False,
'indicator_count': 2,
'indicator_type_counts': {'IPv4': 2},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-16T08:00:04.033000',
'modified_text': '19 days ago ',
'name': 'AWS (AU-Sydney) MySQL Bruteforce Hosts '
'for 2022-01-15',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-15/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 1,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['awsau',
'mysql',
'bruteforce',
'honeypot'],
'targeted_countries': ['Australia'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '83377',
'is_following': False,
'is_subscribed': False,
'username': 'projectopsec'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-17T00:05:06.286000',
'description': 'previous 24 hours activity from a '
'dionaea honeypot',
'downvotes_count': 0,
'export_count': 0,
'follower_count': 0,
'groups': [],
'id': '61bbd432c6d7af7d45cd570a',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-16T00:03:19.160000',
'modified_text': '19 days ago ',
'name': '2021-12-16 dionaea honeypot '
'353563f7-2182-4a0a-926f-8b2fd4403246',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 201,
'tags': ['honeypot', 'dionaea'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'green',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_83487/resized/80/avatar_3b9c358f36.png',
'id': '83487',
'is_following': False,
'is_subscribed': False,
'username': 'jamesbrine'},
'cloned_from': None,
'comment_count': 0,
'created': '2021-12-16T08:20:03.164000',
'description': 'IPV4 Addresses of attackers port '
'scanning private honeypot',
'downvotes_count': 0,
'export_count': 1,
'follower_count': 0,
'groups': [],
'id': '61baf6b3f5f07bbc0a039c2e',
'in_group': False,
'indicator_count': 0,
'indicator_type_counts': {},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2022-01-15T08:05:31.677000',
'modified_text': '20 days ago ',
'name': 'nmap Scanning Hosts for 2021-12-15',
'public': 1,
'pulse_source': 'api',
'references': ['https://jamesbrine.com.au/bruteforce-files-list-2021-12-15/',
'https://jamesbrine.com.au'],
'related_indicator_is_active': 0,
'related_indicator_type': 'IPv4',
'subscriber_count': 325,
'tags': ['nmap', 'port-scan', 'honeypot'],
'targeted_countries': ['Australia'],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0}],
'references': ['https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-25/',
'https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-22/',
'https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-25/',
'https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-20/',
'https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2021-12-31/',
'https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-22/',
'https://jamesbrine.com.au/bruteforce-files-list-2021-12-15/',
'https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-18/',
'https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2021-12-26/',
'https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-17/',
'https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-15/',
'https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-27/',
'https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-19/',
'https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-03/',
'https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-03/',
'https://jamesbrine.com.au/awsindia-mysql-bruteforce-ip-list-2022-01-25/',
'https://jamesbrine.com.au/awsau-mysql-bruteforce-ip-list-2022-01-23/',
'https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-26/',
'https://jamesbrine.com.au/awsjap-mysql-bruteforce-ip-list-2021-12-24/',
'https://jamesbrine.com.au/awssafrica-mysql-bruteforce-ip-list-2022-01-23/',
'https://jamesbrine.com.au/awsbah-mysql-bruteforce-ip-list-2022-01-28/',
'https://jamesbrine.com.au'],
'related': {'alienvault': {'adversary': [],
'industries': [],
'malware_families': []},
'other': {'adversary': [],
'industries': [],
'malware_families': []}}},
'region': 'BRU',
'reputation': 0,
'sections': ['general',
'geo',
'reputation',
'url_list',
'passive_dns',
'malware',
'nids_list',
'http_scans'],
'subdivision': 'BRU',
'type': 'IPv4',
'type_title': 'IPv4',
'validation': [{'message': 'In cloud provider range: provider=google',
'name': 'Cloud Provider IP range',
'source': 'cloud'}],
'whois': 'http://whois.domaintools.com/35.233.62.116'}
XForce | |
score | 10 |
cats | |
Bots | 100 |
categoryDescriptions | |
Bots | IPs known for botnet-member activity. Devices using these IPs are obviously infected and take part in DDoS-attacks, port-scanning, spam-sending etc. |
reason | X-Force Botnet Trap Analysis |
reasonDescription | Unauthorized access attempts originating from this IP address were detected. |
tags | [] |
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member activity. '
'Devices using these IPs are obviously '
'infected and take part in DDoS-attacks, '
'port-scanning, spam-sending etc.'},
'cats': {'Bots': 100},
'geo': {'country': 'United States', 'countrycode': 'US'},
'history': [{'categoryDescriptions': {},
'cats': {},
'created': '2012-03-22T07:26:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.0.0.0/8',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'asns': {'15169': {'Company': 'GOOGLE - Google Inc., US',
'cidr': 12}},
'categoryDescriptions': {},
'cats': {},
'created': '2017-11-10T07:23:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'categoryDescriptions': {},
'cats': {},
'created': '2017-11-13T07:22:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'categoryDescriptions': {},
'cats': {},
'created': '2019-05-19T06:52:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'categoryDescriptions': {},
'cats': {},
'created': '2019-05-21T14:39:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'categoryDescriptions': {},
'cats': {},
'created': '2020-01-17T09:09:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'categoryDescriptions': {},
'cats': {},
'created': '2020-03-21T07:52:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'categoryDescriptions': {},
'cats': {},
'created': '2020-03-22T07:54:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0/12',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'score': 1},
{'asns': {'15169': {'cidr': 12, 'removed': True}},
'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 57},
'created': '2021-10-12T09:31:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 5.7},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 43},
'created': '2021-10-21T09:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 4.3},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 29},
'created': '2021-10-24T09:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 2.9},
{'categoryDescriptions': {},
'cats': {},
'created': '2021-10-25T09:10:00.000Z',
'deleted': True,
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 1},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 57},
'created': '2021-10-30T20:46:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 5.7},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 71},
'created': '2021-11-11T00:16:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 7.1},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 86},
'created': '2021-11-21T21:15:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 8.6},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 71},
'created': '2021-11-23T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 7.1},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 86},
'created': '2021-11-23T18:30:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 8.6},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 71},
'created': '2021-11-26T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 7.1},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 86},
'created': '2021-11-26T19:30:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 8.6},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 71},
'created': '2021-11-28T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 7.1},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 100},
'created': '2021-11-28T18:46:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 86},
'created': '2021-12-01T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 8.6},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 100},
'created': '2021-12-01T17:30:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 86},
'created': '2021-12-03T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 8.6},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 71},
'created': '2021-12-04T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 7.1},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 57},
'created': '2021-12-05T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 5.7},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 43},
'created': '2021-12-06T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 4.3},
{'categoryDescriptions': {'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Scanning IPs': 100},
'created': '2021-12-07T16:00:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.',
'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Bots': 100, 'Scanning IPs': 100},
'created': '2021-12-09T10:15:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218,
'isnew': True},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.',
'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Bots': 100, 'Scanning IPs': 86},
'created': '2021-12-10T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.',
'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Bots': 100, 'Scanning IPs': 71},
'created': '2021-12-11T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.',
'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Bots': 100, 'Scanning IPs': 57},
'created': '2021-12-12T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.',
'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Bots': 100, 'Scanning IPs': 43},
'created': '2021-12-13T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.',
'Scanning IPs': 'These IPs have been '
'identified as '
'illegally scanning '
'networks for '
'vulnerabilities.'},
'cats': {'Bots': 100, 'Scanning IPs': 29},
'created': '2021-12-15T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10},
{'categoryDescriptions': {'Bots': 'IPs known for botnet-member '
'activity. Devices using these '
'IPs are obviously infected and '
'take part in DDoS-attacks, '
'port-scanning, spam-sending '
'etc.'},
'cats': {'Bots': 100},
'created': '2021-12-16T10:10:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.233.62.116/32',
'malware_extended': {'BotNet': 'volatile_cedar',
'CC': 'US',
'country': 218},
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating '
'from this IP address were detected.',
'score': 10}],
'ip': '35.233.62.116',
'reason': 'X-Force Botnet Trap Analysis',
'reasonDescription': 'Unauthorized access attempts originating from this IP '
'address were detected.',
'score': 10,
'subnets': [{'asns': {'15169': {'cidr': 12, 'removed': True}},
'categoryDescriptions': {},
'cats': {},
'created': '2020-03-22T07:54:00.000Z',
'geo': {'country': 'United States', 'countrycode': 'US'},
'ip': '35.224.0.0',
'reason': 'Regional Internet Registry',
'reasonDescription': 'One of the five RIRs announced a (new) '
'location mapping of the IP.',
'reason_removed': True,
'score': 1,
'subnet': '35.224.0.0/12'}],
'tags': []}
# Changing data type to datetime and formatting datetime objects
datetime_format = "%Y-%m-%d %H:%M:%S %Z"
df_enriched["Event DateTime"] = pd.to_datetime(
df_enriched["Event DateTime"]
)
df_enriched["Alarm DateTime"] = pd.to_datetime(
df_enriched["Alarm DateTime"]
)
# Sorting values and selecting first
first_alert = df_enriched.sort_values(by="Alarm DateTime").head(1)
first_alert["Alarm DateTime"] = first_alert["Alarm DateTime"].dt.strftime(datetime_format)
#Filter columns to display
display_columns = [
"Alarm DateTime",
"Source IP",
"CountryName",
"SourceASN",
"Request User Agent",
]
#Display Alert
first_alert[display_columns]
Alarm DateTime | Source IP | CountryName | SourceASN | Request User Agent | |
---|---|---|---|---|---|
513 | 2020-02-11 03:35:40 UTC | 34.68.153.199 | United States | GOOGLE, US | python-requests/2.22.0 |
# Create new columns
df_enriched["Year"] = df_enriched["Event DateTime"].dt.year
df_enriched["Month"] = df_enriched["Event DateTime"].dt.month
df_enriched["MonthofYear"] = df_enriched["Event DateTime"].dt.strftime("%Y-%m")
monthly_df = (
df_enriched.groupby(["MonthofYear"])["MonthofYear"].agg({"count"}).reset_index()
)
# Display data
monthly_df
MonthofYear | count | |
---|---|---|
0 | 2020-02 | 4 |
1 | 2020-05 | 1 |
2 | 2020-06 | 4 |
3 | 2020-07 | 22 |
4 | 2020-08 | 8 |
5 | 2020-09 | 6 |
6 | 2020-10 | 5 |
7 | 2020-11 | 3 |
8 | 2020-12 | 6 |
9 | 2021-01 | 6 |
10 | 2021-02 | 11 |
11 | 2021-03 | 23 |
12 | 2021-04 | 21 |
13 | 2021-05 | 16 |
14 | 2021-06 | 15 |
15 | 2021-07 | 23 |
16 | 2021-08 | 13 |
17 | 2021-09 | 29 |
18 | 2021-10 | 27 |
19 | 2021-11 | 15 |
20 | 2021-12 | 24 |
21 | 2022-01 | 232 |
print(f"No of Unique IP addresses seen: {len(df_enriched['Source IP'].unique())}")
No of Unique IP addresses seen: 212
print(
f'''No of Unique Countries seen: {len(df_enriched['CountryName'].unique())}
No of unique ASN : {len(df_enriched['SourceASN'].unique())}'''
)
No of Unique Countries seen: 62 No of unique ASN : 35
df_enriched['Event Name'].value_counts()
ListObjects 311 HeadBucket 192 PutObject 11 Name: Event Name, dtype: int64
df_enriched['User ID'].value_counts().reset_index()
index | User ID | |
---|---|---|
0 | {'type': 'AWSAccount', 'principalId': '', 'accountId': 'ANONYMOUS_PRINCIPAL'} | 477 |
1 | {'type': 'AWSAccount', 'principalId': '451083579297', 'accountId': '451083579297'} | 12 |
2 | {'type': 'AWSAccount', 'principalId': '960312529846', 'accountId': '960312529846'} | 7 |
3 | {'type': 'AWSAccount', 'principalId': '541646178081', 'accountId': '541646178081'} | 5 |
4 | {'type': 'AWSAccount', 'principalId': 'AIDAZTADS5TQBDY2MAAOH', 'accountId': '659285011680'} | 4 |
5 | {'type': 'AWSAccount', 'principalId': '725677763773', 'accountId': '725677763773'} | 3 |
6 | {'type': 'AWSAccount', 'principalId': 'AIDAIYBE736TYLBM3THMU', 'accountId': '385485039111'} | 2 |
7 | {'type': 'AWSAccount', 'principalId': 'AIDAJNSTHWDY27F2QAMTM', 'accountId': '271169583898'} | 2 |
pd.set_option('max_colwidth', 200)
df_enriched.groupby(['Event Name','Request Parameters'])['Alert'].agg({'count'})
count | ||
---|---|---|
Event Name | Request Parameters | |
HeadBucket | {'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com'} | 187 |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com'} | 3 | |
{'bucketName': 'microsoft-devtest', 'Host': 's3.eu-west-1.amazonaws.com'} | 2 | |
ListObjects | {'bucketName': 'microsoft-devtest', 'Host': 'Microsoft-devtest.s3.amazonaws.com'} | 2 |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com', 'encoding-type': 'url'} | 36 | |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com', 'max-keys': '1000', 'prefix': 'a'} | 1 | |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com', 'max-keys': '1000', 'prefix': 'd'} | 1 | |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com'} | 48 | |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com', 'encoding-type': 'url', 'prefix': '*'} | 3 | |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com', 'encoding-type': 'url'} | 2 | |
{'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com', 'encoding-type': 'url'} | 185 | |
{'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.amazonaws.com'} | 1 | |
{'list-type': '2', 'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com'} | 20 | |
{'list-type': '2', 'bucketName': 'microsoft-devtest', 'encoding-type': 'url', 'prefix': '', 'delimiter': '/', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com'} | 8 | |
{'list-type': '2', 'bucketName': 'microsoft-devtest', 'max-keys': '0', 'encoding-type': 'url', 'x-amz-request-payer': 'requester', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com'} | 3 | |
{'list-type': '2', 'bucketName': 'microsoft-devtest', 'max-keys': '500', 'encoding-type': 'url', 'x-amz-request-payer': 'requester', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com'} | 1 | |
PutObject | {'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com', 'key': 'hello.txt'} | 4 |
{'bucketName': 'microsoft-devtest', 'Host': 'microsoft-devtest.s3.eu-west-1.amazonaws.com', 'key': 'writeable_bucket.txt'} | 7 |
df_enriched['Request User Agent'].value_counts().tail(5)
Boto3/1.14.52 Python/3.8.3 Windows/10 Botocore/1.17.52 1 Java/11.0.9.1 1 Java/11.0.8 1 aws-sdk-go/1.35.1 (go1.15.3; linux; amd64) 1 Boto3/1.17.76 Python/3.7.3 Linux/4.19.0-16-amd64 Botocore/1.20.105 Resource 1 Name: Request User Agent, dtype: int64
df_enriched['CountryName'].value_counts().head(5)
France 217 Belgium 61 United States 31 Finland 23 India 20 Name: CountryName, dtype: int64
# Repeat IP Addresses
df_grouped = df_enriched.groupby(['Source IP'])['Source IP'].agg({'count'})
df_grouped[df_grouped['count'] > 1].sort_values(by='count', ascending=False)
count | |
---|---|
Source IP | |
212.83.184.15 | 121 |
212.83.184.17 | 64 |
212.83.184.14 | 16 |
43.251.92.37 | 16 |
188.40.66.118 | 9 |
212.83.184.16 | 9 |
35.205.104.93 | 9 |
34.77.163.42 | 9 |
104.155.101.3 | 4 |
35.187.190.226 | 4 |
95.217.207.120 | 4 |
95.217.154.203 | 4 |
95.216.202.243 | 4 |
95.216.151.196 | 4 |
35.233.62.116 | 4 |
35.195.57.216 | 4 |
34.76.78.209 | 4 |
34.79.107.251 | 4 |
34.78.120.99 | 4 |
130.211.54.158 | 4 |
34.71.42.209 | 4 |
34.68.153.199 | 4 |
34.140.248.32 | 4 |
212.83.184.13 | 4 |
192.175.111.231 | 4 |
192.175.111.228 | 4 |
95.217.6.207 | 4 |
# Repeat IP Addresses
df_asngrouped = df_enriched.groupby(['SourceASN'])['Source IP'].agg({'count'})
df_asngrouped[df_asngrouped['count'] > 1].sort_values(by='count', ascending=False)
count | |
---|---|
SourceASN | |
Online SAS, FR | 214 |
M247, GB | 93 |
GOOGLE, US | 69 |
HETZNER-AS, DE | 34 |
ANINETWORK-IN Ani Network Pvt Ltd, IN | 16 |
IWEB-AS, CA | 15 |
HOSTROYALE, IN | 10 |
ASDETUK www.heficed.com, GB | 8 |
AMAZON-AES, US | 6 |
NA | 5 |
HQSERV_COMMUNICATION_SOLUTIONS, IL | 5 |
FASTRACK Fastrack Technology, AU | 4 |
QUICKPACKET, US | 4 |
KVBPL-AS-IN Kerala Vision Broad Band Private Limited, IN | 3 |
DIGITALOCEAN-ASN, US | 3 |
INETLTD, TR | 2 |
IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE., DE | 2 |
HOST-AS-AP Host Universal Pty Ltd, AU | 2 |
COMCAST-7922, US | 2 |
SERVER-MANIA, CA | 2 |
ti_resp.groupby(['Severity', 'Provider'])['Ioc'].agg({'count'})
count | ||
---|---|---|
Severity | Provider | |
high | OTX | 79 |
XForce | 13 | |
information | OTX | 420 |
XForce | 496 | |
warning | OTX | 15 |
XForce | 5 |
plt.rcParams["figure.figsize"] = (12,6)
plt.style.use('seaborn-darkgrid')
fig, ax = plt.subplots()
ax.plot(monthly_df["MonthofYear"], monthly_df["count"])
ax.set(xlabel='Per Month', ylabel='Count per each month',
title='Monthly distribution of alerts')
plt.xticks(rotation=60)
plt.show()
With this visualization, you can discover distribution of alerts originating across the countries. Size and color shade indicates the no of alerts observed. As you can see there are various countries triggering just 1 alert whereas some countries such as France, Belgium , Germany, India were among top countries triggering alerts.
# Create dataset with count per Country
country_df = (
df_enriched.groupby(["CountryName"])["CountryName"].agg({"count"}).reset_index()
)
# normalize the count range to populate color pallette
norm = matplotlib.colors.Normalize(
vmin=min(country_df["count"]), vmax=max(country_df["count"])
)
colors = [matplotlib.cm.Blues(norm(value)) for value in country_df["count"]]
fig = plt.gcf()
ax = fig.add_subplot()
fig.set_size_inches(16, 12)
squarify.plot(
sizes=country_df["count"],
label=country_df["CountryName"],
color=colors,
alpha=0.6,
pad=True,
)
plt.axis("off")
plt.show()
With this visualization, you can discover Source IPs belonging to single ASNs nut associated with multiple countries.
# Repeat IP Addresses
df_asngrouped = df_enriched.groupby(["SourceASN", "CountryName"])["Alert"].agg(
{"count"}
)
# Filter records with count less than 4
df2 = (
df_asngrouped[df_asngrouped["count"] > 4]
.sort_values(by="count", ascending=False)
.reset_index()
)
# Filter outlier to properly display heatmap
df2 = df2[df2["SourceASN"] != "Online SAS, FR"]
# Creating pivot table
df2_pivot = df2.pivot_table(
index="SourceASN", columns="CountryName", values="count", fill_value=0
)
# plot a heatmap with annotation
sns.heatmap(df2_pivot, annot=True, annot_kws={"size": 10})
<matplotlib.axes._subplots.AxesSubplot at 0x7f45c9196e50>
MSTICpy also includes a feature to allow you to map locations, this can be particularily useful when looking at the distribution of remote network connections or other events. Below we plot the locations of Source IPs observed in our rlogs who accessed AWS S3 Honeybucket.
# Create a IP Geolookup class
iplocation = GeoLiteLookup()
folium_map = FoliumMap()
def format_ip_entity(row, ip_col):
ip_entity = entities.IpAddress(Address=row[ip_col])
iplocation.lookup_ip(ip_entity=ip_entity)
if "severity" in row:
ip_entity.AdditionalData["threat severity"] = row["severity"]
return ip_entity
# Filtering high and warning Ips to display on Geomap
ti_resp_threats = ti_resp[ti_resp.Severity.isin(["high", "warning"])]
ips_threats = list(ti_resp_threats.apply(lambda x: format_ip_entity(x, "Ioc"), axis=1))
# Convert our IP addresses in string format into an ip address entity
ip_entity = entityschema.IpAddress()
ip_list = [convert_to_ip_entities(i)[0] for i in ti_resp_threats['Ioc']]
# Get center location of all IP locaitons to center the map on
location = get_map_center(ip_list)
s3bucket_map = FoliumMap(location=location, zoom_start=2)
# Add location markers to our map and dsiplay it
if len(ip_list) > 0:
icon_props = {"color": "red"}
s3bucket_map.add_ip_cluster(ip_entities=ips_threats, **icon_props)
display(s3bucket_map.folium_map)
3 days 4 hours 30 mins
since bucket created.Belgium
of ASN Google, US
.France
country of ASN - Online SAS, FR
huge spike of alerts observed in Jan-2022
.212 Ip addresse
, 62 contries
and 35 ASN
.M247, GB was observed with multiple coutries
which is cloud hosting provider.28 Ips
were tagged as High severity by Xforce and OTX ThreatIntel providers
amd 3 Ips
by both providers.historical botnet, spam, dynamic and Honeypot visitor activity
.11 Alerts
were observed attempting to write to bucket
.'x-amz-request-payer': 'requester'
which is used for signed URL Downloading objects in Requester Pays bucketsWe used third party service BreachInsider to set up AWS S3 Honeybucket for free. The service offers central text files with the logging telemetry however it is not in structured fashion so we used Jupyter notebook and python to convert that text file into structured json file to do further analysis.
Once the data is prepared, we can start analyzing various access patterns such as frequent user agents , source IPs etc. We also used msticpy data enrichment modules on IPs to populate additional data such as GeoLocation, IP ASN and registrar information. We also processed all the Public IPs against Open Source ThreatIntel providers such as IBM XForce and Alienvault OTX and found majority of the IP addresses categorized as bad and known to visit Honeypots or scanners etc. This notebook along with real world dataset can be used as demonstration to analyze reconnaisance activity on publicly exposed storage bucket. It also showcases how you can use various built-in data enrichment, visualization modules of msticpy to analyze and visualize the data.