STIX feed integration · SIEM

Microsoft Sentinel — Malscan STIX Feed Integration

Push indicators through the Upload Indicators (STIX objects) API

About the feeds

Stream the free Vulnetix Malscan STIX 2.1 feeds into Microsoft Sentinel threat intelligence: poll the per-ecosystem DNS and URL bundles and push their indicators through the STIX-objects upload API into your workspace for analytics-rule matching.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into Microsoft Sentinel

Sentinel's upload API takes STIX objects directly. Reshape the bundle into the sourcesystem + stixobjects envelope and the indicators appear in Threat Intelligence, ready for the built-in TI-map analytics rules.

Poll + upload (cron every 15 minutes)

#!/bin/sh
# Entra token with the Sentinel TI upload role on the workspace
TOKEN=$(az account get-access-token --resource https://api.ti.sentinel.azure.com --query accessToken -o tsv)

curl -fsSL https://vulnetix.com/malscan-stix/generic/urls.stix.json \
  | jq '{sourcesystem: "Vulnetix Malscan", stixobjects: [.objects[] | select(.type == "indicator")]}' \
  | curl -X POST "https://api.ti.sentinel.azure.com/workspaces/$WORKSPACE_ID/threat-intelligence-stix-objects:upload?api-version=2024-02-01-preview" \
      -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type: application/json" \
      --data-binary @-

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →