Showing results for 
Search instead for 
Did you mean: 

Creating a Watchlist from Malc0de

Creating a Watchlist from Malc0de

ESM 9.5 introduced the capability to populate watchlists with data parsed from HTTP feeds.  This provides you with the ability to tap into the vast array of public threat feeds out in the world to improve your situational awareness in ESM. In this doc we'll walk through an example of pulling a feed from 

The Malc0de IP blacklist is updated regularly.  Below is a screenshot of the list as seen in a web browser.


We can see that the list has a few header lines at the top that we'll want to ignore, and then includes a simple list of IP addresses that will be very simple for us to parse out.  To  begin, create a new dynamic watchlist with the update schedule you desire.


Next we'll need to provide the URL for the information we'd like to parse.  Press the Connect button to ensure your ESM can reach the URL you've specified.


With that done, we'll need to tell the ESM how to parse out the values on that page.  We'll specify 3 header lines, to ensure that ESM skips the unwanted lines at the top of the text file.  Then we need to provide a regex that properly captures the IP address.  In this case we can use a very simple regex of \d+.\d+.\d+.\d+.  This looks for 4 series of digits (\d+) separated by any other character (.).  This regex is a little sloppy, but works in this context. 


We also need to include (parentheses) around the regex we want to match, as shown above.  This turns the regex into a matching group.  In the case of this particular URL, the matching group is a bit of unnecessary hassle, since there is only one value we care about on each line.  However, in other cases you might have multiple values on each line (IP address, country, URL, email address, etc)  In this case, the matching group is used to refer to specific fields on each line.  When you've properly built your regex and applied matching group delimiters, you will see values become highlighted in blue, as seen in the screenshot above.

The final step is to tell ESM what data type this watchlist will contain.  In our case, we'll select IP Address.


Finally, if you click "Run Now" you should find that your watchlist values are populated.  You may now use your new watchlist in correlation rules, view filters, reports, and anywhere else you'd normally use a watchlist.

I hope you find this useful.  What feeds have you found useful in your own environment?



Thank you SO much, this document was very helpful! Please keep docs like this coming!



The Regex (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) works better for the IP's as this Regex (\d+.\d+.\d+.\d+) results in lots of false positives.

Is it possible to get all these feeds into a single watchlists, Dynamic watchlists are a really good addition to SIEM but per watchlist we can use only one feed which doesn't serve the purpose.




Hi Vinaya,

Yes, your regex is definitely better than mine.  In the case of pulling data from malc0de, it shouldn't matter too much, as their data is already well formatted, but for other feeds I can see your point.

It's not possible to get multiple feeds on a single watchlist using this feature.  I think in general it's valuable to keep various feeds separate, so you can track where your data has come from.  In that case, when you're creating correlations, reports, etc. using these feeds, you'd need to ensure you're including all of your relevant threat feed watchlists, not just a single one...

     Source IP (In)  ["WL:malc0de", "WL:zeustracker, "WL:malwaredomains"]



Does anyone have some RegEX for getting the domains from for example this;


We are getting below error, any 1 help to solve this.


You can use this regex for getting domain name: ((?:[-A-Za-z0-9]+\.)+[A-Za-z]{1,})

Version history
Revision #:
1 of 1
Last update:
‎03-17-2015 09:07 AM
Updated by: