botnet_tracker

Botnet Tracker

The botnet_tracker dataset is similar to the sinkhole_tracker dataset and includes botnet data derived from netflow analysis and open source. This includes the source IP address, destination IP, domain, or URL. In additional to malware traffic, this index also provides a comprehensive list of anonymous proxies observed in the wild. Botnet_tracker also contains IPs checking into 3rd party sinkholes. Red Sky Alliance’s sinkhole data is searchable in the sinkhole_traffic index only.

Field	Description
indicator	bot source ip
indicator_type	ipv4addr
indicator_context	either botnet_ip, proxy_ip, or sinkholed_ip
c2	endpoint that source ip connected to. either an ip, domain, or url
first_seen	when indicator first observed
last_seen	when indicator last observed
reference	available reference for the botnet record, if not specified in the attribution field
asn	autonomous system number for indicator
attribution	malware attribution known
country	two character country code
region	region name geolocated from indicator
city	city name geolocated from indicator
postal_code	postal code geolocated from indicator
area_code	area code geolocated from indicator
location	latitude longitude coordinates
etl_data	date data was exported