There are many paid and open source external lookup sites that expose APIs to get information about IOCs. Some of the most famous ones include the following:
- IPvoid: http://www.ipvoid.com/
- URLvoid: https://www.urlvoid.com/
- Cymon: https://api.cymon.io/v2/ioc/search/
- Malware Domain: http://www.malwaredomainlist.com/mdl.php
- Threat Miner: https://www.threatminer.org/
- Threatcrowd: https://www.threatcrowd.org/
Many of these have exposed APIs with which the process of the IOC lookup can be completely automated. For example, let's take a look at the following code snippet that automates the IOC lookup with the help of the API exposed by Cymon:
import requests
from urllib.parse import urljoin
from urllib.parse import urlparse
cymon_url='https://api.cymon.io/v2/ioc/search/'
type_="ip-src"
ip="31.148.219.11"
if type_ in ["ip-src","ip-dst","domain|ip","ip-dst|port","ip-src|port","ip"]:
cymon_url=urljoin(cymon_url,"ip/")
cymon_url=urljoin(cymon_url,ip)
response = requests.get(cymon_url, data={}, headers=headers)
print(response)
We can search on these websites and read the API documentation in order to automate the process of IOC lookup against these websites.