Categories
Security

SANS Internet Storm Center – API

Even as a long-time listener of the daily newscast from SANS Storm Center, I never knew they offer a free API with useful information. The downside is that the API is rather slow, but still useful for IP intelligence.

You can find a full list of their current API offerings over at https://isc.sans.edu/api.

The Cloud IP’s

This endpoint (https://isc.sans.edu/api/cloudips) will return a current list of subnets used by cloud providers such as Amazon and Google.

In my first analysis using this list, I already noticed that it is not complete. However, it still provides a good signal for local tagging and log file analysis.

https://isc.sans.edu/api/cloudips, free list of IPv4 ranges of cloud providers (2024-04-30)

Domainage

In my testing, this endpoint did not work as of the end of April 2024, not even with the example from the website. The return was always empty.

https://isc.sans.edu/api/domainage/sans.edu, (2024-04-30)

Other API

SANS also offers a wide variety of other API endpoints, which I have not yet had the chance to try out.