Even as a long-time listener of the daily newscast from SANS Storm Center, I never knew they offer a free API with useful information. The downside is that the API is rather slow, but still useful for IP intelligence.
You can find a full list of their current API offerings over at https://isc.sans.edu/api.
The Cloud IP’s
This endpoint (https://isc.sans.edu/api/cloudips) will return a current list of subnets used by cloud providers such as Amazon and Google.
In my first analysis using this list, I already noticed that it is not complete. However, it still provides a good signal for local tagging and log file analysis.
Domainage
In my testing, this endpoint did not work as of the end of April 2024, not even with the example from the website. The return was always empty.
Other API
SANS also offers a wide variety of other API endpoints, which I have not yet had the chance to try out.
- ASNUM
- Backscatter
- Cloud IPs
- Cloud IPs (CIDR notation)
- Daily Summary
- Domain Data Requests
- Glossary
- Handler
- Infocon
- Intelfeed
- IP
- IP Details
- Port
- PortDate
- TopPorts
- TopIPs
- Source IPs
- PortHistory
- Survivaltime
- Threatfeeds
- WebhoneypotSummary
- WebhoneypotByType
- Webhoneypots Daily Summary
- Webhoneypot Daily Details
- Webhoneypot Search by User-Agent
- Webhoneypot Search by URL
- OpenIOCSources