Hunters continuously enhances its threat detection and investigation capabilities by integrating high-quality external data sources. These sources provide context and enrichment that help the platform, and security analysts using it, to validate alerts, correlate events, and accelerate threat hunting.
Hunters data sources are connected to the platform Out-Of-The-Box and are updated and managed by Hunters. These sources can be divided into 2 groups:
This article outlines what these data sources are and how Hunters leverages them on the Hunters platform.
Detection sources
Hunters uses the following threat intelligence feeds to improve detection of suspicious entities, reduce false positive and modify leads scoring:
IOC feeds
Hunters ingests the following IOC feeds:
AlienVault OTX (Open Threat Exchange) is an open platform designed for the exchange of Indicators of Compromise (IOCs). The foundation of OTX lies in its "pulses", which are essentially groups containing multiple IOCs related to a specific incident or campaign.
Currently, we only incorporate pulses created by official AlienVault users. These pulses are primarily generated by AlienVault through the extraction of IOCs from blog posts and publications by various security vendors.
abuse.ch, a Swiss research project that offers several feeds with distinct purposes. The following are the abuse.ch feeds we currently ingest:
URLHaus: A platform aimed at sharing information about malware distribution sites with the community, antivirus vendors, and threat intelligence providers.
MalwareBazaar: This feed facilitates the sharing of malware samples with the community, antivirus vendors, and threat intelligence providers.
FeodoTracker: A feed dedicated to tracking botnet Command and Control (C&C) infrastructure associated with infamous threats like Emotet, Dridex, and TrickBot.
By ingesting these diverse feeds, we aim to enhance our threat intelligence capabilities and contribute to the collective security of our users and the wider cybersecurity community.
How do we use threat intel feeds?
We utilize threat intel in the following ways:
Unified Schema: we create a unified schema of all our feeds (including STIX-TAXII) which is later used for detection.
Detections: generally, we continuously check if IOCs (of various kinds) show up in various data sources (e.g. EDR, traffic network, Logins).
Reduced Noise: the detection is improved by continuously removing False Positive IOCs.
Scoring: on certain occasions, we leverage IOC feed to modify score.
Investigation and enrichment sources
Hunters ingests the below resources to support the enrichment and investigation of leads and alerts:
🌐 AWS Public IPs
Hunters uses the AWS Public IP ranges published by Amazon to detect when network traffic, login attempts, or other activities originate from known AWS infrastructure. This is especially valuable for determining whether traffic comes from legitimate AWS-hosted services or from adversaries leveraging cloud infrastructure. This is also useful for correlating events involving IP addresses with their corresponding AWS regions and services.
☁️ Azure Public IPs
Similar to AWS, Microsoft publishes a comprehensive list of public IP address ranges used by Azure. This helps distinguish legitimate activity from suspicious behavior involving Azure resources, including potential abuse of cloud compute for attacks. Hunters leverages this to:
Identify whether events involve Azure-hosted services or infrastructure.
Enrich alerts with metadata such as Azure region and service allocation.
📈 Cisco Umbrella One Million
Cisco’s Umbrella One Million dataset contains the top one million most frequently queried domains globally. This allows Hunters to quickly differentiates between common domains (e.g., google.com, github.com) and potentially malicious or uncommon ones, reducing noise in DNS-related detections.Hunters uses this to:
Assess the likelihood that a domain is benign based on popularity.
Flag access to rare, suspicious, or newly observed domains not present in the dataset.
🌍 MaxMind Data
MaxMind is a data services company best known for its IP geolocation and fraud detection products. It provides tools and databases that allow organizations to determine the geographic location, ISP, and other metadata associated with IP addresses.
Hunters uses these MaxMind resources:
MaxMind GeoIP ASN
Hunters enriches IP addresses with Autonomous System Number (ASN) data from MaxMind to determine:
The ISP or organization that owns the IP address.
Potential attribution or clustering of activity by hosting provider or network.
This supports grouping of malicious activity by ISP or ASN, useful in detecting campaigns using similar infrastructure.
MaxMind GeoIP Countries
Hunters uses this data source to accelerate investigation by providing geographic insight, especially useful in geo-fencing policies and anomaly detection.
This country-level enrichment is applied to external IP addresses to:
Detect anomalies such as logins or connections from unexpected countries.
Enhance geo-based detection rules (e.g., impossible travel, suspicious remote access).
MaxMind GeoIP Cities
Hunters uses this data source to provide detailed context for security teams performing location-based investigations, improving the accuracy of anomaly detection.
This City-level IP geolocation data enables:
Detection of access patterns from cities known for VPN exit nodes or malicious behavior.
Correlation of multiple events from the same geographic location.
🕵️ Tor Exit Nodes
Tor is a free, open-source software and network designed to enable anonymous communication over the internet. Hunters integrates a real-time list of Tor exit nodes to:
Detect when traffic, logins, or API calls originate from the Tor network.
Raise alerts for potential anonymized or malicious behavior.
This allows Hunters to highlight the use of anonymizing infrastructure, which is often indicative of adversarial activity or attempts to evade detection.