Akamai Guardicore Segmentation Threat Intelligence Service
If you would like to use the Akamai Guardicore CTI service as a feed, feel free!
Download the data served up in the Akamai Guardicore Segmentation CTI easily and for free!
Download each week’s data by downloading a JSON file here
https://threatintelligence.akamai.com/downloads/latest.json
In this file, you can find all the data we expose in the dashboard along with additional details.
In addition,
You can download data from previous weeks by downloading files with the following date format:
https://threatintelligence.akamai.com/downloads/LABS_FEED_cti_data_YYYYMMDD.json
To download a specific weeks date, specify the Sunday marking the start of the week.
For example, for the time period between 06/01/2019 and 13/01/2019, the resource link is
https://threatintelligence.akamai.com/downloads/LABS_FEED_cti_data_20190106.json
We suggest consuming this data by downloading the latest.json once a week on Mondays.
If you have any questions or want access to additional data, please contact us at labs@guardicore.com.
Technical Format
What follows is the format for the JSON files, what they contain and how to parse their data.
Attackers
Key name top_attackers.
This field contains the top attacking IP addresses observed by Guardicore sensors around the world in a specific time period.
| Field name | Description |
|---|---|
| ip | The IP address of the attacker |
| amount | Number of times we’ve seen this attacker in our sensors over the last time period |
| service | A list of protocols we’ve seen this attacker communicate with |
| country | Source country of the IP |
Malicious Domains
Key name malicious_domains.
This field contains the top malicious domains we’ve seen attackers use in this time period. Attackers use domains rather than hard coded IP addresses to allow them to constantly shift infrastructure. These domains usually serve as file servers to download post-breach tools, C&C servers to control the different attack tools, and logging servers to send data from the victim machines.
| Field name | Description |
|---|---|
| domain | The domain name we’ve seen attackers communicate with |
| amount | Number of times we’ve seen this domain in our sensors over the last time period |
C2 Servers
Key name connect_back_ips.
This field contains the top IP addresses attackers connect to after breaching a server. These machines usually serve as file servers to download post-breach tools e.g. Remote Administration Tools (RAT), network and vulnerability scanners, exploit and cryptocurrency tools , C&C servers to control the different attack tools, and logging servers to send data from the victim machines.
| Field name | Description |
|---|---|
| ip | The IP address of the server |
| amount | Number of times we’ve seen this server in our sensors over the last time period |
| isp | ISP hosting this IP |
| country | Source country of the IP |
Scanning Servers
Key name scanners.
This field contains the most active scanners in this time period. Scanners are machines that access one or more services across one or more subnets monitored by Guardicore sensors without performing attacks. The attackers run scanners to locate vulnerable services that can fit their exploitation methods (e.g. bad configuration, out-of-date software).
| Field name | Description |
|---|---|
| ip | The IP address of the server |
| amount | Number of times we’ve seen this server in our sensors over the last time period |
| ports | A list of ports scanned by this IP |
Scanned Ports
Key name ports.
This field presents the services that are most often attacked over the internet.
| Field name | Description |
|---|---|
| amount | The number of connection attempts to this port over the time period |
| ports | The port scanned |
Interested in accessing our full database? Have questions? Please email us to labs@guardicore.com.
