# botnet\_tracker The botnet\_tracker dataset is similar to the sinkhole\_tracker dataset and includes botnet data derived from netflow analysis and open source. This includes the source IP address, destination IP, domain, or URL. In additional to malware traffic, this index also provides a comprehensive list of anonymous proxies observed in the wild. Botnet\_tracker also contains IPs checking into 3rd party sinkholes. Red Sky Alliance’s sinkhole data is searchable in the sinkhole\_traffic index only. | Field | Description | | ------------------ | ------------------------------------------------------------------------------------ | | indicator | bot source ip | | indicator\_type | ipv4addr | | indicator\_context | either botnet\_ip, proxy\_ip, or sinkholed\_ip | | c2 | endpoint that source ip connected to. either an ip, domain, or url | | first\_seen | when indicator first observed | | last\_seen | when indicator last observed | | reference | available reference for the botnet record, if not specified in the attribution field | | asn | autonomous system number for indicator | | attribution | malware attribution known | | country | two character country code | | region | region name geolocated from indicator | | city | city name geolocated from indicator | | postal\_code | postal code geolocated from indicator | | area\_code | area code geolocated from indicator | | location | latitude longitude coordinates | | etl\_data | date data was exported |