Frequently Asked Questions (FAQ)
Having questions? I hope that they are getting answerd here! If not, please do not hesitate to contact us through the Spamhaus Technology contact form:
https://www.spamhaus.com/contact-us-abuse-ch/
Why ThreatFox?
I love OSINT! There are many smart and talented IT-security researchers, threat analysts, CERT/CSIRT/SOC employees and IT-security enthusiast around. Some of them share parts of their analysis and indicators of compromise (IOCs) publicly, usually on github or social media like Twitter. While this is great, it is a pain at the same time: You need to invest a lot of time into searching for these IOCs and, even worse, automation is in many cases not easily possible (if not impossible).
ThreatFox is a platform where people who would like to share their indicators of compromise (IOCs) with the community can do so. For this purpose, ThreatFox offers a web UI and an API. At the same time, security researchers who would like to use that data to protect their own constituency, users or customers can easily integrate it by taking advantage of the ThreatFox API.
ThreatFox is a free, community driven platform for sharing indicators of compromise with the world!
What kind of information should be shared on ThreatFox?
If you want to share your indicators of compromise (IOCs) on ThreatFox, I'm glad to hear that! However, be for you start to push data to ThreatFox, please read the following submission policy carefuly.
- Indicators of compromise (IOC) related to malware only: Do only share indicators of compromise (IOCs) on ThreatFox. An IOC is an IP address, domain name, URL, email address or file hash that, if observed in a production environment, would indicate a compromise of your network with malware. Do not share any IOCs related to spam, phishing or other threats on ThreatFox.
- Vetting: By default, submissions made to ThreatFox are being reviewed by a human. If you share high quality IOCs on ThreatFox, you may be flagged as a Trusted Reporter. Submissions from such users will directly go into the LIVE database without any further vetting.
- Confidence level: Whenever you submit an IOC to ThreatFox, please choose the confidence level carefully. Do only use high confidence levels on IOCs you have manually vetted.
- Fresh IOCs: There are gazillions IOCs out there. Please refrain from sharing (obsolete) IOCs that are older than 10 days.
Why is there no data export in STIX/TAXII available?
I've offered a STIX/TAXII export for threat intel from URLhaus for a while. Unfortunately, I've noticed that due to the extensive amount of information STIX/TAXII provides, the export file soon became very, very big (Gigabytes!). I've therefore decided against supporting STIX/TAXII format across all abuse.ch projects. I apologize and hope that one of the other available formats will fit your needs.
Can I use data from ThreatFox commercially?
Yes! You can use any data provided by ThreatFox for commercial and non-commercial purpose - for free. This includes reselling or ingeration into commercial products. However, I kindly ask you to have a quick look at the (very short) Terms of Services (ToS) at the end of this FAQ.
Terms of Services (ToS)
By using the website of ThreatFox or any of it's services / datasets, you agree that:
- All datasets offered by ThreatFox can be used for both, commercial and non-commercial purpose for free without any limitations (CC0)
- Any data offered by ThreatFox is served as it is on best effort with no warranty
- ThreatFox can not be held liable for any false positives or damage caused by the use of the website or the datasets provided
- Any submission to ThreatFox will be treated and shared under TLP:WHITE and under Creative Commons No Rights Reserved (CC0)