Attack Analytics Overview


RiskIQ Attack Analytics is a file-feed that shows hosts first observed within RiskIQ data sets for a given day. This file is updated on an hourly basis and available via a protected S3 bucket. 

For more information about our Attack Analytics see the following external product material

Additionally, customers can see samples of our feed data here.

Getting Access

Attack Analytics is delivered through Amazon S3 and is updated on daily basis. In order to gain access to the S3 bucket, a customer must first have purchased the service. Once purchased, the customer will be given a link they can use to get the latest version of the S3 file.

RiskIQ-SIS Attack Analytics Access.pdf

File Format

Attack Analytics files are delivered via a tab-separated file with the domain and a timestamp. The domain is simply the observed infrastructure that RiskIQ identified and the time information is a unix-based timestamp for when the observation took place.

Using the Data

Customers who purchase access to our Attack Analytics file-feed are typically seeking a greater visibility into threat targeting their organization.  Across all of our feeds, the most common use cases for 

Proactive and Automated Blocking

RiskIQ Attack Analytics provides organizations access to RiskIQ intelligence that can be used to proactively block new domains and known bad infrastructure that RiskIQ has observed.  Our Feeds can be ingested into enterprise proxies and firewalls to block potential malicious infrastructure based on organizations risk profiles and policies. 

Identifying Trends or Brands

Phishing attacks often make use of trends or common themes that may be identified within the domains they register. Some customers can use our feeds as a starting point and apply different filters against the data in order to surface domains that may be of interest due to a recent trend or because it uses their brand. From here, some customers will simply block these domains while others may monitor them to identify more about the attack. 

Proactive Threat Research

Similar to identifying trends and brands, some customers will use our Newly Observed Domain and Newly Observed Host feeds as a feed for their research program. Depending on the maturity of the organization, some will take the NOD and begin resolving each of the domains in order to understand if they overlap with any existing known threats. Customers who also purchase RiskIQ's URL crawling service will go a step further and crawl these domains in order to understand which have a live web page and could be actively serving a phishing kit.