{"id":7215,"date":"2024-03-05T08:54:03","date_gmt":"2024-03-05T08:54:03","guid":{"rendered":"\/cybersecurity-blog\/?p=7215"},"modified":"2024-09-26T11:27:00","modified_gmt":"2024-09-26T11:27:00","slug":"how-we-built-ti-lookup","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/","title":{"rendered":"How We Built Threat Intelligence Lookup"},"content":{"rendered":"\n<p>Creating a <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=howwebuiltlookup&amp;utm_content=linktolookuplanding&amp;utm_term=050324\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> platform is something we have wanted to do for years. With over 400,000 analysts using our sandbox, many of whom run public research sessions and share the results of their research, we&#8217;re accumulating roughly 600 million IOCs a year in our database. It was clear to us that information could bring immense value to SOC teams.&nbsp;<\/p>\n\n\n\n<p>Today, we want to raise the curtain a bit and talk about the main milestones (and roadblocks) we hit on the way, as well as the key decisions that shaped the product into what it is today \u2014 and where it&#8217;ll go next.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about Threat Intelligence Lookup and what it can do<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-video aligncenter\"><video controls src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/Video-1-small.mp4\"><\/video><figcaption class=\"wp-element-caption\">ImagePath:&#8221;powershell&#8221; AND CommandLine:&#8221;$codigo&#8221;<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">We wanted to link all events within a single sandbox session and make them searchable&nbsp;<\/h2>\n\n\n\n<p>There were two things we knew: providing a portal to search our database would bring immense value to our users, and we\u2019re the only company that can provide IOCs and events&#8217; filelds&nbsp;extracted from 1.5 million interactive sandbox research sessions, where all events within a single session are linked (even if one event hasn\u2019t directly spawned the other).&nbsp;<\/p>\n\n\n\n<p>There were also many things we didn\u2019t know: how to make the search functionality as intuitive as our sandbox is, and what do we need to do to make sure everything works at scale?&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">We\u2019ve set goals to ourselves:&nbsp;<\/h3>\n\n\n\n<p><strong>1. Supporting wildcards and operators<\/strong>. Wildcards (*) let you quickly find relevant artifacts by substring (querying &#8220;vate&#8221; returns \u201cprivateloader\u201d). Operators enable you to narrow down results using AND, OR, and NOT conditions. (Note: You can already use AND, but we\u2019ll add OR and NOT in a future release). &nbsp;<\/p>\n\n\n\n<p><strong>2. The search had to be fast<\/strong>. We set a condition: users should receive results in seconds, not minutes. (The final render time we achieved is around 5 seconds).&nbsp;<\/p>\n\n\n\n<p><strong>3. The UI had to be intuitive<\/strong>. We needed to design a simple and instantly accessible UI where even a first-time user could build a complex query.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry Threat Intelligence Lookup <br>Search for linked IOCs using <span class=\"highlight\"> over 30 fields<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/\" rel=\"noopener\" target=\"_blank\">\nContact sales\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Some things we tried and what didn\u2019t quite work out&nbsp;<\/h2>\n\n\n\n<p>Our first instinct was to integrate the Lookup service into the sandbox. We spent months going down this path, but ultimately, we tossed the idea aside.&nbsp;<\/p>\n\n\n\n<p>Our existing MongoDB database holds\u00a0a large volume of data and the searches took painfully long. Then there was the issue of scalability. With MongoDB being NoSQL database, storing a large number of connections in memory made the infrastructure too expensive to run. That would drive up the price past the point that we were comfortable with.\u00a0<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>We also found that using a regular filter on MongoDB and only relying on exact matches meant we couldn&#8217;t implement wildcard searches, which was a deal-breaker.<\/em><\/p>\n<cite>Dmitry Marinov, CTO<\/cite><\/blockquote>\n\n\n\n<p>Early UX tests reinforced the conviction that cramming the functionality of a search portal into the sandbox wasn&#8217;t the right approach.&nbsp;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>Initially, we thought to make the lookup part of the sandbox. But we quickly realized that such huge functionality could interfere with standard sandbox use cases. That&#8217;s why we decided to create a new service from scratch. This would allow us to develop a search-only interface.<\/em>&nbsp;<\/p>\n<cite><strong>Kirill Aksenov, Head of Design<\/strong>&nbsp;<\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">We decided to make the TI Lookup a separate product&nbsp;<\/h2>\n\n\n\n<p>On the backend, this meant a new tech stack and a new database.&nbsp;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>We had very high requirements for read and write speeds so that we could build something that\u2019s both quick and easy to use \u2014 in the true ANY.RUN fashion.<\/em>&nbsp;<\/p>\n<cite><strong>Dmitry Marinov, CTO<\/strong>&nbsp;<\/cite><\/blockquote>\n\n\n\n<p>Over the next several months, Dmitry started researching various architectures. Our platform needed to handle hundreds of thousands of events per second and deliver query results for all fields to users in under 10 seconds,&nbsp;worst-case scenario.&nbsp;<\/p>\n\n\n\n<p>Since we needed connections, Dmitry decided to use a graph database. At that time, we were looking at noe4J and OrientDB. The first option Dmitry considered was noe4J. It satisfied all his requirements but was tremendously expensive.&nbsp;&nbsp;<\/p>\n\n\n\n<p>OrientDB, on the other hand, had a free license. And so, Dmitry wrote a connector in NodeJS. It all went smoothly \u2014 and we could run searches.&nbsp;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>But then we realized that we have so much data coming in from the sandbox that orientDB can&#8217;t keep up. We wrote slower than we read.<\/em>&nbsp;<\/p>\n<cite><strong><em>Dmitry Marinov, CTO<\/em><\/strong>&nbsp;<\/cite><\/blockquote>\n\n\n\n<p>Dmitry moved the OrientDB database to a separate server and rewrote the connector in Java to have it receive data over the network and then write it directly to hardware. This way we could utilize the full speed of the SSD. The write speed increased by 10x, and it was enough to cover our needs. It looked like this was the turning point. And then \u2014 we hit a snag:&nbsp;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>When I began testing the entire system and tried to scale it, it turned out that when we write to this database over hardware, we cannot read from it. The technology has not justified itself.<\/em>&nbsp;<\/p>\n<cite><strong><em>Dmitry Marinov, CTO<\/em><\/strong>&nbsp;<\/cite><\/blockquote>\n\n\n\n<p>Then Dmitry tried several things. He tried&nbsp;PostgreSQL, MariaDB, built-in full-text indexes for LIKE queries, custom indexes, and ZomboDB \u2014 another dead end. &nbsp;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>At one point I started writing custom indexes that allowed us to search through data more efficiently. In particular, I used n-grams. It didn&#8217;t pay off again. It turned out that in order for SQL to work, it was necessary to build a 1-gram and the amount that the index occupied was so large that the license price would be too expensive.<\/em>&nbsp;<\/p>\n<cite><strong><em>Dmitry Marinov, CTO<\/em><\/strong>&nbsp;<\/cite><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Just when it started to look like there\u2019s no solution, Dmitry hit a breakthrough:&nbsp;<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>I took Elasticsearch and structured all our data in a denormalized format within the distributed engine, and that&#8217;s when it all clicked. We were able to scale the system for both reading and writing. We have our secret sauce for optimizing everything, and as we scaled it up, it worked!<\/em>&nbsp;<\/p>\n<cite><em><strong>Dmitry Marinov, CTO<\/strong>&nbsp;<\/em><\/cite><\/blockquote>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet a personal demo of <span class=\"highlight\">TI Lookup<\/span> from our team&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" rel=\"noopener\" target=\"_blank\">\nGet demo\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">We had to create a completely new UI for searching&nbsp;<\/h3>\n\n\n\n<p>In the meantime, breaking away from ANY.RUN\u2019s existing UI kit allowed Kirill and his team to work much more freely. Intuitive workflow is a big part of our sandbox, and we had conviction the UX had to be simple and instantly accessible in the search portal.&nbsp;<\/p>\n\n\n\n<p>We wanted to empower even newcomers to write complex queries with AND conditions and wildcards.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-1024x566.png\" alt=\"\" class=\"wp-image-7216\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Click on pre-built components and they paste in with the correct syntax&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>We designed a request constructor that allows you to put together a request by combining pre-built list items. This way we can show users what they can search for and what tools they have to write the request. This was the most challenging part of the UI too get right.<\/em>&nbsp;<\/p>\n<cite><em><strong>Kirill Aksenov, Head of Design<\/strong>&nbsp;<\/em><\/cite><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">We made several important decisions about the product during the design process:&nbsp;<\/h3>\n\n\n\n<p><strong>Giving a holistic view of search results<\/strong>. Instead of spreading search results across pages by category (you\u2019d have one page to hold IPs, another one for hashes and so on) after much trial-and-error we landed on a tiled layout with a mix of tables and lists. Every search gives you an entire picture at a glance. Then, you can fall into categories by clicking on tiles.&nbsp;<\/p>\n\n\n\n<p><strong>We wanted to retain the connection between Lookup and Sandbox<\/strong>. When we designed the UI, we tried to maintain this connection through interfaces elements; It is reflected in common interface elements like process cards. This is how we create a consistent experience.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-1024x566.png\" alt=\"\" class=\"wp-image-7217\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">UI Elements from the sandbox create consistency between the two products.&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>What we want to improve<\/strong>: We included examples of queries, guides and hints in the first iteration of the UI, but we want to make creating a search query for the user even more understandable and transparent.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What\u2019s next for us?&nbsp;<\/h3>\n\n\n\n<p>We launched Threat Intelligence Lookup in February 2024, but we\u2019ve been testing it together with early adopters from our community for several months prior to the public release. This product feels like the next logical step for us, a completely new way to bring value to our users.&nbsp;<\/p>\n\n\n\n<p>In the first iteration we focused on giving you all the data we had at once in a package that is user-friendly both for building searches and for browsing the results.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Some things we had to leave out to make it in time for our planned release window. For example, you can\u2019t yet search across our collection of artifacts by YARA rules. Dmitry, Kirill, and others in our TI Lookup taskforce are already working on shipping this feature \u2014 along with more transformative ones that we can\u2019t quite talk about yet.&nbsp;<\/p>\n\n\n\n<p>No matter where we go, we\u2019ll stay true to ANY.RUN value: making what we believe are among the most intuitive security products in the industry.&nbsp;<\/p>\n\n\n\n<p>If you&#8217;re an enterprise with five or more members in your security team, and currently building your SOC processes, we invite you to try our new platform. Get in touch with our sales team, and we&#8217;ll provide you with access to a 14-day trial.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=howwebuiltlookup&amp;utm_content=linktolookuppricing&amp;utm_term=050324\" target=\"_blank\" rel=\"noreferrer noopener\">Get in touch with our Sales team&nbsp;<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Creating a Threat Intelligence Lookup platform is something we have wanted to do for years. With over 400,000 analysts using our sandbox, many of whom run public research sessions and share the results of their research, we&#8217;re accumulating roughly 600 million IOCs a year in our database. It was clear to us that information could [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":7219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[67],"tags":[57,10,55],"class_list":["post-7215","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interviews","tag-anyrun","tag-cybersecurity","tag-release"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How ANY.RUN Built Threat Intelligence Lookup<\/title>\n<meta name=\"description\" content=\"Read how Threat Intelligence Lookup, a large searchable database of threat data, was built by the ANY.RUN sandbox team.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How We Built Threat Intelligence Lookup\",\"datePublished\":\"2024-03-05T08:54:03+00:00\",\"dateModified\":\"2024-09-26T11:27:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/\"},\"wordCount\":1604,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"release\"],\"articleSection\":[\"Interviews\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/\",\"name\":\"How ANY.RUN Built Threat Intelligence Lookup\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-03-05T08:54:03+00:00\",\"dateModified\":\"2024-09-26T11:27:00+00:00\",\"description\":\"Read how Threat Intelligence Lookup, a large searchable database of threat data, was built by the ANY.RUN sandbox team.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Interviews\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/interviews\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How We Built Threat Intelligence Lookup\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How ANY.RUN Built Threat Intelligence Lookup","description":"Read how Threat Intelligence Lookup, a large searchable database of threat data, was built by the ANY.RUN sandbox team.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How We Built Threat Intelligence Lookup","datePublished":"2024-03-05T08:54:03+00:00","dateModified":"2024-09-26T11:27:00+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/"},"wordCount":1604,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","release"],"articleSection":["Interviews"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/","name":"How ANY.RUN Built Threat Intelligence Lookup","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-03-05T08:54:03+00:00","dateModified":"2024-09-26T11:27:00+00:00","description":"Read how Threat Intelligence Lookup, a large searchable database of threat data, was built by the ANY.RUN sandbox team.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-built-ti-lookup\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Interviews","item":"https:\/\/any.run\/cybersecurity-blog\/category\/interviews\/"},{"@type":"ListItem","position":3,"name":"How We Built Threat Intelligence Lookup"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7215"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7215"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7215\/revisions"}],"predecessor-version":[{"id":9004,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7215\/revisions\/9004"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7219"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}