{
  "description": "Event contains one or more entries of known security providers/vendors blog domain with an IDS flag set",
  "list": [
    "0x1338.blogspot.be",
    "2014.hack.lu",
    "2014.zeronights.ru",
    "about-threats.trendmicro.com",
    "access.redhat.com",
    "alienvault-labs-garage.googlecode.com",
    "app.any.run",
    "app.response.ncr.com",
    "app.threatconnect.com",
    "arstechnica.co.uk",
    "arstechnica.com",
    "artemonsecurity.com",
    "asert.arbornetworks.com",
    "assets.documentcloud.org",
    "attack.mitre.org",
    "autofocus.paloaltonetworks.com",
    "aviatrix25.rssing.com",
    "b0n1.blogspot.fr",
    "b161268c3bf5a87bc67309e7c870820f5f39f672.googledrive.com",
    "badcyber.com",
    "baesystemsai.blogspot.com",
    "baesystemsai.blogspot.fr",
    "baesystemsai.blogspot.lu",
    "bartblaze.blogspot.be",
    "bartblaze.blogspot.com",
    "bartblaze.blogspot.lu",
    "benkowlab.blogspot.fr",
    "bgpmon.net",
    "bgpranking.circl.lu",
    "bitninja.io",
    "bizlive.vn",
    "blockchain.info",
    "blog.0day.jp",
    "blog.0x3a.com",
    "blog.9bplus.com",
    "blog.airbuscybersecurity.com",
    "blog.anomali.com",
    "blog.appriver.com",
    "blog.avast.com",
    "blog.barracuda.com",
    "blog.bit9.com",
    "blog.cari.net",
    "blog.cassidiancybersecurity.com",
    "blog.cert.societegenerale.com",
    "blog.checkpoint.com",
    "blog.crowdstrike.com",
    "blog.crysys.hu",
    "blog.cyber4sight.com",
    "blog.cylance.com",
    "blog.deniable.org",
    "blog.didierstevens.com",
    "blog.domaintools.com",
    "blog.dragonthreatlabs.com",
    "blog.dynamoo.com",
    "blog.emsisoft.com",
    "blog.erratasec.com",
    "blog.eset.ie",
    "blog.fireeye.com",
    "blog.fortinet.com",
    "blog.fox-it.com",
    "blog.gdatasoftware.com",
    "blog.idiom.ca",
    "blog.ioactive.com",
    "blog.jpcert.or.jp",
    "blog.kaspersky.com",
    "blog.kleissner.org",
    "blog.knownsec.com",
    "blog.linuxmint.com",
    "blog.lookout.com",
    "blog.macnica.net",
    "blog.malwarebytes.com",
    "blog.malwarebytes.org",
    "blog.malwareclipboard.com",
    "blog.malwaremustdie.org",
    "blog.malwaretracker.com",
    "blog.morphisec.com",
    "blog.mxlab.eu",
    "blog.netlab.360.com",
    "blog.newskysecurity.com",
    "blog.opendns.com",
    "blog.pagefair.com",
    "blog.passivetotal.org",
    "blog.rootshell.be",
    "blog.ropchain.com",
    "blog.safebit.mn",
    "blog.secdo.com",
    "blog.sensecy.com",
    "blog.shadowserver.org",
    "blog.sucuri.net",
    "blog.talosintel.com",
    "blog.talosintelligence.com",
    "blog.team-cymru.org",
    "blog.threatstop.com",
    "blog.trendmicro.com",
    "blog.trendmicro.de",
    "blog.xanda.org",
    "blog.zimperium.com",
    "blogs.bromium.com",
    "blogs.cisco.com",
    "blogs.forcepoint.com",
    "blogs.mcafee.com",
    "blogs.norman.com",
    "blogs.quickheal.com",
    "blogs.rsa.com",
    "blogs.securiteam.com",
    "blogs.sophos.com",
    "blogs.technet.com",
    "blogs.technet.microsoft.com",
    "boomstick.emergingthreats.net",
    "breakingmalware.com",
    "business.kaspersky.com",
    "camas.comodo.com",
    "cdn.securelist.com",
    "cdn2.hubspot.net",
    "censys.io",
    "cert.gov.ua",
    "christophe.rieunier.name",
    "citizenlab.ca",
    "citizenlab.org",
    "code4hk.hackpad.com",
    "comgenjournal.blogspot.be",
    "community.blueliv.com",
    "community.qualys.com",
    "community.rapid7.com",
    "community.riskiq.com",
    "community.rsa.com",
    "community.saas.hpe.com",
    "community.ubnt.com",
    "community.websense.com",
    "contagiodump.blogspot.be",
    "contagiodump.blogspot.com",
    "contagiodump.blogspot.com.es",
    "contagiodump.blogspot.de",
    "contagiodump.blogspot.lu",
    "cryptam.com",
    "cryptome.org",
    "csecybsec.com",
    "cve.circl.lu",
    "cyb3rsleuth.blogspot.be",
    "cyb3rsleuth.blogspot.co.uk",
    "cyber-peace.org",
    "cyber.wtf",
    "cybersecurity.att.com",
    "cyberx-labs.com",
    "cymon.io",
    "cys-centrum.com",
    "cysinfo.com",
    "ddanchev.blogspot.com",
    "ddecode.com",
    "ddos.arbornetworks.com",
    "dea.gov.ge",
    "detux.org",
    "devcentral.f5.com",
    "didierstevens.com",
    "digital-forensics.sans.org",
    "digitasecurity.com",
    "dirtycow.ninja",
    "dns.robtex.com",
    "dnsdb.isc.org",
    "doc.emergingthreats.net",
    "documents.trendmicro.com",
    "download.bitdefender.com",
    "download.microsoft.com",
    "download01.norman.no",
    "dragos.com",
    "drops.wooyun.org",
    "e.gov.vn",
    "easyviruskilling.com",
    "edu.arabsgate.com",
    "en.community.dell.com",
    "en.wikipedia.org",
    "enigma0x3.net",
    "enterprise.norman.com",
    "eromang.zataz.com",
    "eternal-todo.com",
    "events.ccc.de",
    "exchange.xforce.ibmcloud.com",
    "extraexploit.blogspot.com",
    "f5.com",
    "fe-ddis.dk",
    "feodotracker.abuse.ch",
    "file.gdatasoftware.com",
    "firstlook.org",
    "forum.computerbetrug.de",
    "forum.nginx.org",
    "forums.malwarebytes.com",
    "foxglovesecurity.com",
    "freebeacon.com",
    "garwarner.blogspot.lu",
    "ghostbin.com",
    "gist.github.com",
    "gist.githubusercontent.com",
    "github.com",
    "gizmodo.com",
    "go.recordedfuture.com",
    "groups.google.com",
    "gtrack.h3x.eu",
    "hazmalware.wordpress.com",
    "heimdalsecurity.com",
    "helpx.adobe.com",
    "henrybasset.blogspot.be",
    "holisticinfosec.org",
    "home.mcafee.com",
    "hybrid-analysis.com",
    "ics-cert.kaspersky.com",
    "ics-cert.us-cert.gov",
    "ics.sans.org",
    "info.baesystemsdetica.com",
    "info.isightpartners.com",
    "info.lookout.com",
    "info.phishlabs.com",
    "info.publicintelligence.net",
    "infoarmor.com",
    "informationonsecurity.blogspot.be",
    "infotomb.com",
    "insider.domaintools.com",
    "intelcrawler.com",
    "ioc.forensicartifacts.com",
    "iocbucket.com",
    "iranthreats.github.i",
    "iranthreats.github.io",
    "isc.sans.edu",
    "itsicherheitsblog.de",
    "joedd.joesecurity.org",
    "joesecurity.org",
    "journeyintoir.blogspot.de",
    "kas.pr",
    "kasperskycontenthub.com",
    "kc.mcafee.com",
    "kernelmode.info",
    "krebsonsecurity.com",
    "kyuutaro.wordpress.com",
    "kz-cert.kz",
    "la.trendmicro.com",
    "lab.anchiva.com",
    "labs.alienvault.com",
    "labs.bitdefender.com",
    "labs.lastline.com",
    "labs.m86security.com",
    "labs.opendns.com",
    "labs.snort.org",
    "labs.sucuri.net",
    "labs.umbrella.com",
    "labsblog.f-secure.com",
    "lavasoft.com",
    "lists.clean-mx.com",
    "live.paloaltonetworks.com",
    "lockboxx.blogspot.com.es",
    "luminosity.link",
    "malware-research.org",
    "malware-traffic-analysis.net",
    "malware.dontneedcoffee.com",
    "malware.prevenity.com",
    "malware.sekoia.fr",
    "malwarebreakdown.com",
    "malwareconfig.com",
    "malwaredb.malekal.com",
    "malwarefor.me",
    "malwarejake.blogspot.fr",
    "malwarelab.zendesk.com",
    "malwr.com",
    "malwrpost.wordpress.com",
    "marcmaiffret.com",
    "marcoramilli.blogspot.dk",
    "marcoramilli.blogspot.it",
    "marcoramilli.blogspot.nl",
    "medium.com",
    "middleeastmalware.blogspot.com",
    "missatsamtal.se",
    "mjolnirsecurity.com",
    "mlwre.github.io",
    "mobile.reuters.com",
    "mobile.twitter.com",
    "money.cnn.com",
    "morphians.wordpress.com",
    "morphick.net",
    "morris.guru",
    "motherboard.vice.com",
    "my.opera.com",
    "myonlinesecurity.co.uk",
    "nakedsecurity.sophos.com",
    "netzpolitik.org",
    "news.drweb.com",
    "news.netcraft.com",
    "newsroom.trendmicro.com",
    "niebezpiecznik.pl",
    "normanshark.com",
    "noticeofpleadings.com",
    "novetta.com",
    "now.avg.com",
    "nvd.nist.gov",
    "nyxbone.com",
    "objective-see.com",
    "ocelot.li",
    "ossectools.blogspot.be",
    "otx.alienvault.com",
    "pages.arbornetworks.com",
    "paloaltonetworks.com",
    "panacea.threatgrid.com",
    "paper.seebug.org",
    "passivedns.mnemonic.no",
    "passivetotal.org",
    "pastebin.lu",
    "permalink.gmane.org",
    "persaxac.blogspot.be",
    "phishing-mails.blogspot.de",
    "phishme.com",
    "podcasts.mcafee.com",
    "portal.sec.ibm.com",
    "productforums.google.com",
    "proofpoint.com",
    "public.gdatasoftware.com",
    "publicintelligence.net",
    "puluka.com",
    "pwc.blogs.com",
    "pytosquatting.org",
    "r.virscan.org",
    "raw.github.com",
    "raw.githubusercontent.com",
    "reaqta.com",
    "recon.cx",
    "rednaga.io",
    "remchp.com",
    "reqrypt.org",
    "research.riskiq.net",
    "research.zscaler.com",
    "researchcenter.paloaltonetworks.com",
    "resources.infosecinstitute.com",
    "resources.netskope.com",
    "resources.sei.cmu.edu",
    "reverse.put.as",
    "reversewhois.domaintools.com",
    "s3-eu-west-1.amazonaws.com",
    "s3-us-west-2.amazonaws.com",
    "sandbox.deepviz.com",
    "sec.sexy",
    "seclists.org",
    "securelist.com",
    "securelist.ru",
    "securingtomorrow.mcafee.com",
    "security-is-just-an-illusion.blogspot.nl",
    "security.googleblog.com",
    "security.web.cern.ch",
    "securityaffairs.co",
    "securityblog.s21sec.com",
    "securityblog.switch.ch",
    "securitydaily.org",
    "securityfactory.tistory.com",
    "securityintelligence.com",
    "securityledger.com",
    "securitymadein.lu",
    "sensorstechforum.com",
    "sentinelone.com",
    "serveradmin.ru",
    "sf.riskiq.net",
    "shoplift.byte.nl",
    "sitecheck.sucuri.net",
    "sites.google.com",
    "sjc1-te-ftp.trendmicro.com",
    "soc.tdc.dk",
    "sophosnews.files.wordpress.com",
    "sslbl.abuse.ch",
    "stackoverflow.com",
    "stopmalvertising.com",
    "sub0day.com",
    "support.microsoft.com",
    "sync.me",
    "t.co",
    "takahiroharuyama.github.io",
    "talosintel.com",
    "targetedthreats.net",
    "techanarchy.net",
    "techcrunch.com",
    "techhelplist.com",
    "technet.microsoft.com",
    "telussecuritylabs.com",
    "thehackernews.com",
    "theintercept.com",
    "thisissecurity.net",
    "threatbook.cn",
    "threatconnect.com",
    "threatgeek.typepad.com",
    "threatintel.proofpoint.com",
    "threatpost.com",
    "tif.mcafee.com",
    "tools.cisco.com",
    "totalhash.com",
    "twitter.com",
    "ubuntuforums.org",
    "urlquery.net",
    "urlscan.io",
    "usa.kaspersky.com",
    "v2ex.com",
    "vb.vip600.com",
    "virusguides.com",
    "virusradar.com",
    "virustotal.com",
    "vms.drweb.com",
    "vms.drweb.ru",
    "vrt-blog.snort.org",
    "web.archive.org",
    "webcache.googleusercontent.com",
    "wepawet.iseclab.org",
    "whoisology.com",
    "wiki.egi.eu",
    "williamshowalter.com",
    "www.419scam.org",
    "www.4armed.com",
    "www.abuse.ch",
    "www.ad.nl",
    "www.agi.it",
    "www.alienvault.com",
    "www.antiy.net",
    "www.aptgroups.com",
    "www.aqniu.com",
    "www.arbornetworks.com",
    "www.baesystems.com",
    "www.bangkokpost.com",
    "www.bbc.co.uk",
    "www.bellingcat.com",
    "www.blackhat.com",
    "www.blacknurse.dk",
    "www.bleepingcomputer.com",
    "www.bloomberg.com",
    "www.bluecoat.com",
    "www.blueliv.com",
    "www.broadanalysis.com",
    "www.bsk-consulting.de",
    "www.ca.com",
    "www.carbonblack.com",
    "www.cert.pl",
    "www.cert.ssi.gouv.fr",
    "www.certego.net",
    "www.checkpoint.com",
    "www.circl.lu",
    "www.clearskysec.com",
    "www.cloudsek.com",
    "www.cmcm.com",
    "www.cobaltstrike.com",
    "www.codeandsec.com",
    "www.commandfive.com",
    "www.coresecurity.com",
    "www.crowdstrike.com",
    "www.crysys.hu",
    "www.csis.dk",
    "www.csoonline.com",
    "www.cve.mitre.org",
    "www.cybereason.com",
    "www.cyberengineeringservices.com",
    "www.cyberesi.com",
    "www.cybermerchantsofdeath.com",
    "www.cyberoam.com",
    "www.cyberscoop.com",
    "www.cybersixgill.com",
    "www.cybersquared.com",
    "www.cyintanalysis.com",
    "www.cylance.com",
    "www.cymmetria.com",
    "www.cyphort.com",
    "www.damballa.com",
    "www.daniweb.com",
    "www.darkreading.com",
    "www.deependresearch.org",
    "www.defcon.org",
    "www.devttys0.com",
    "www.dfn-cert.de",
    "www.digitalbond.com",
    "www.digitalshadows.com",
    "www.drchaos.com",
    "www.dropbox.com",
    "www.dshield.org",
    "www.eff.org",
    "www.eldo.lu",
    "www.emc.com",
    "www.endgame.com",
    "www.ewon.be",
    "www.exploit-db.com",
    "www.f-secure.com",
    "www.facebook.com",
    "www.fidelissecurity.com",
    "www.fireeye.com",
    "www.flashpoint-intel.com",
    "www.fortinet.com",
    "www.fox-it.com",
    "www.gdata.fr",
    "www.gdatasoftware.com",
    "www.govcert.admin.ch",
    "www.group-ib.com",
    "www.guardicore.com",
    "www.hauri.co.kr",
    "www.heise.de",
    "www.helpnetsecurity.com",
    "www.hotforsecurity.com",
    "www.hybrid-analysis.com",
    "www.ibpt.be",
    "www.icebrg.io",
    "www.ilspy.net",
    "www.infosecdailynews.com",
    "www.infosecurity-magazine.com",
    "www.intego.com",
    "www.intezer.com",
    "www.invincea.com",
    "www.isightpartners.com",
    "www.itnews.com.au",
    "www.joesandbox.com",
    "www.kahusecurity.com",
    "www.kam.lt",
    "www.kaspersky.com",
    "www.kernelmode.info",
    "www.kpmg.com",
    "www.krcert.or.kr",
    "www.kudelskisecurity.com",
    "www.lac.co.jp",
    "www.lacoon.com",
    "www.lancope.com",
    "www.lexsi.com",
    "www.link11.de",
    "www.listaspam.com",
    "www.liveleak.com",
    "www.macrumors.com",
    "www.macworld.com",
    "www.malware-reversing.com",
    "www.malware-traffic-analysis.net",
    "www.malware.lu",
    "www.malware.unam.mx",
    "www.malwaredigger.com",
    "www.malwaretech.com",
    "www.malwaretracker.com",
    "www.mandiant.com",
    "www.marc.info",
    "www.mcafee.com",
    "www.mediafire.com",
    "www.melani.admin.ch",
    "www.microsoft.com",
    "www.mysonicwall.com",
    "www.nbu.gov.sk",
    "www.nccgroup.com",
    "www.ncsc.gov.uk",
    "www.netresec.com",
    "www.netsarang.com",
    "www.netskope.com",
    "www.norse-corp.com",
    "www.noticeofpleadings.com",
    "www.novetta.com",
    "www.nsslabs.com",
    "www.nttsecurity.com",
    "www.nytimes.com",
    "www.nyxbone.com",
    "www.operationblockbuster.com",
    "www.oracle.com",
    "www.packetmail.net",
    "www.paloaltonetworks.com",
    "www.pandasecurity.com",
    "www.passivetotal.org",
    "www.pcmag.com",
    "www.phishtank.com",
    "www.polizei-praevention.de",
    "www.prensa.com",
    "www.prnewswire.com",
    "www.proofpoint.com",
    "www.pwc.co.uk",
    "www.rackspace.com",
    "www.recordedfuture.com",
    "www.reddit.com",
    "www.reuters.com",
    "www.reverse.it",
    "www.reversinglabs.com",
    "www.riskiq.com",
    "www.robtex.com",
    "www.rooksecurity.com",
    "www.root9b.com",
    "www.rsa.com",
    "www.rsaconference.com",
    "www.rtl.lu",
    "www.scam.cz",
    "www.scmagazine.com",
    "www.seculert.com",
    "www.securelist.com",
    "www.securemac.com",
    "www.secureworks.com",
    "www.securityartwork.es",
    "www.securityweek.com",
    "www.sekoia.fr",
    "www.sentinelone.com",
    "www.serkey.com",
    "www.shodanhq.com",
    "www.skycure.com",
    "www.slideshare.net",
    "www.sophos.com",
    "www.spiegel.de",
    "www.symantec.com",
    "www.talosintel.com",
    "www.technologyreview.com",
    "www.theregister.co.uk",
    "www.thesafemac.com",
    "www.threatconnect.com",
    "www.threatexpert.com",
    "www.threatgeek.com",
    "www.threatminer.org",
    "www.threatstop.com",
    "www.threatstream.com",
    "www.threattracksecurity.com",
    "www.tigersecurity.pro",
    "www.trendmicro.com",
    "www.trustwave.com",
    "www.us-cert.gov",
    "www.verfassungsschutz.de",
    "www.virusbtn.com",
    "www.virusbulletin.com",
    "www.virusradar.com",
    "www.virustotal.com",
    "www.vkremez.com",
    "www.volexity.com",
    "www.votiro.com",
    "www.vxsecurity.sg",
    "www.washingtontimes.com",
    "www.welivesecurity.com",
    "www.whoismind.com",
    "www.windowscentral.com",
    "www.wipo.int",
    "www.wired.com",
    "www.wirtschaftsschutz.info",
    "www.wordfence.com",
    "www.xylibox.com",
    "www.youtube.com",
    "www.zdnet.com",
    "www.zscaler.com",
    "www2.fireeye.com",
    "yararules.com",
    "zairon.wordpress.com",
    "zaufanatrzeciastrona.pl",
    "zerophagemalware.com",
    "zeustracker.abuse.ch",
    "zulu.zscaler.com"
  ],
  "matching_attributes": [
    "domain",
    "domain|ip",
    "hostname",
    "url",
    "uri",
    "link"
  ],
  "name": "List of known security providers/vendors blog domain",
  "type": "hostname",
  "version": 4
}