STIX feed integration · SIEM

Elastic Security — Malscan STIX Feed Integration

Poll the bundles with an httpjson input into threat.indicator fields

About the feeds

Bring the free Vulnetix Malscan STIX 2.1 feeds into Elastic Security: poll the per-ecosystem DNS and URL bundles with a Filebeat httpjson input, split on the STIX objects array, and map indicators for use in indicator-match detection rules.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into Elastic Security

The httpjson input fetches the bundle on an interval and splits on objects[], one event per STIX object. Map the indicator pattern into threat.indicator.* fields (an ingest pipeline handles the pattern parse) and point your indicator-match rules at the index.

filebeat.yml: httpjson input (15-minute interval)

filebeat.inputs:
  - type: httpjson
    id: vulnetix-malscan-dns
    interval: 15m
    request.url: https://vulnetix.com/malscan-stix/generic/dns.stix.json
    response.split:
      target: body.objects
    processors:
      - add_fields:
          target: threat.feed
          fields:
            name: "Vulnetix Malscan"
            reference: "https://vulnetix.com/malscan-stix/"

output.elasticsearch:
  hosts: ["https://elastic.example.com:9200"]
  index: "logs-ti_vulnetix_malscan"

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →