RH-Isac

  • Published on Aug 13, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

rhisac-threat-indicators

rhisac_threat_indicators

NDJSON

API, S3

Overview

RH-ISAC is a threat intelligence sharing organization focused on the retail and hospitality sectors. They provide vetted indicators ofcompromise (IOCs) through their MISP platform at misp.rhisac.org. The integration pulls threat intelligence data tagged with "rhisac:vetted" - these are safe-to-action indicators that have been validated and are already present on reputation block lists or identified as known malicious. RH-ISAC uses a collaborative approach to threat intelligence, allowing member organizations to share and access high-quality security indicators. The data includes various IOC types such as IP addresses, domains, file hashes, and URLs that can be directly used for blocking or alerting in security tools.

Supported data types

Rhisac Threat Indicators

Table name: rhisac_threat_indicators

rhisac-threat-indicators are curated, high-confidence threat intelligence data sourced from RH-ISAC’s MISP platform. These vetted indicators—such as malicious IP addresses, domains, file hashes, and URLs—are collaboratively validated by retail and hospitality sector members. Tagged with rhisac:vetted, they are safe for automated blocking or alerting, as they have already been confirmed malicious and appear on established reputation block lists.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Rhisac logs via API integration.

To connect Rhisac logs:

  1. Generate an auth key in MISP Visit https://misp.rhisac.org/users/view/me

  2. Select Auth Keys

  3. Then Add authentication key

  4. Add a comment to the comment field to easily identify the key in the future. If you dont plan to write any data back to the RH-ISAC MISP instance, we also recomend using the read only flag to limit unnecessary permissions on the key.

  5. Finally choose Submit

  6. Once the credentials, go to Hunters platform into data source page, and add a new integration of type “Rhisac”.

    follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
  "id": "REDACTED",
  "event_id": "REDACTED",
  "object_id": "REDACTED",
  "object_relation": null,
  "category": "Payload delivery",
  "type": "sha256",
  "to_ids": true,
  "uuid": "REDACTED",
  "timestamp": "1754100061",
  "distribution": "5",
  "sharing_group_id": "0",
  "comment": "",
  "deleted": false,
  "disable_correlation": false,
  "first_seen": null,
  "last_seen": null,
  "value": "[REDACTED_HASH]",
  "Event": {
    "org_id": "REDACTED",
    "distribution": "1",
    "publish_timestamp": "1754326818",
    "id": "REDACTED",
    "info": "O365 CH- Calendar Invite",
    "orgc_id": "REDACTED",
    "uuid": "REDACTED"
  },
  "Tag": [
    {
      "id": "113",
      "name": "rhisac: vetted",
      "colour": "#bb64d4",
      "numerical_value": null,
      "is_galaxy": false,
      "local": false
    }
  ]
}