STIX feed integration · Cloud

AWS GuardDuty — Malscan STIX Feed Integration

A threat intel set kept fresh from the extracted IP list

About the feeds

Feed AWS GuardDuty with the free Vulnetix Malscan threat intelligence: extract IPs from the per-ecosystem STIX 2.1 feeds to S3 and register the list as a GuardDuty threat intel set, so findings fire when workloads touch known campaign infrastructure.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into AWS GuardDuty

GuardDuty threat intel sets are plaintext IP lists in S3 (TXT format). Create the set once, then a scheduled job (cron, Lambda on an EventBridge schedule, whatever you run) refreshes the object and GuardDuty picks up the change.

Extract → S3 → threat intel set

#!/bin/sh
curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \
  | jq -r '.objects[] | select(.type == "indicator") | .pattern' \
  | grep -oP "ipv4-addr:value = '\K[^']+" | sort -u > vulnetix-ips.txt
aws s3 cp vulnetix-ips.txt s3://your-intel-bucket/vulnetix-ips.txt

# Once, to register the set:
aws guardduty create-threat-intel-set \
  --detector-id $DETECTOR_ID \
  --name VulnetixMalscan \
  --format TXT \
  --location s3://your-intel-bucket/vulnetix-ips.txt \
  --activate

# GuardDuty refreshes from S3; just keep the object current.

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →