A List of Third-Party Services to Determine Indicator Badness

When an analyst is reviewing logs from various environment sources such as Azure Active Directory, perimeter firewalls, email gateways, Amazon Web Services, endpoint protection and others, they need to check for activity from other sources to make a determination that the domain, URL, or IP address (indicator) warrants further investigation/policy action/control change based on activity that other people have reported (enrichment).

The primary third-party indicator enrichment source I use is Pulsedive. I am subscribed to the Pro version of Pulsedive for $30 a month where I can check an indicators reported activity on AbuseIPDB and VirusTotal through integration using API keys from each service in addition to activity reported by other PulseDive account holders. You can also integrate Shodan to see if additional ports are open or confirm open ports, and you can an idea of the vulnerabilities in the services that are running for the indicator based on reported software versions with associated Common Vulnerability and Exposure identification.

The following list of third-party indicator enrichment resources are the one’s I prefer and is by no means exhaustive. All resources mentioned in this post have a free tier.