STIX feed integration · CTI platform

OpenCTI — Malscan STIX Feed Integration

Import the bundles straight into your knowledge graph with pycti

About the feeds

Ingest the free Vulnetix Malscan STIX 2.1 threat feeds into OpenCTI: poll the per-ecosystem DNS and URL indicator bundles every 15 minutes with pycti and import them as native STIX objects, relationships intact.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into OpenCTI

OpenCTI speaks STIX 2.1 natively, so the bundles import as-is, indicators, labels and marking definitions included. A small scheduled importer beats a custom connector here because the feeds are plain HTTPS with a manifest.

Scheduled importer (cron every 15 minutes)

# pip install pycti requests
import requests
from pycti import OpenCTIApiClient

api = OpenCTIApiClient("https://opencti.example.com", "$OPENCTI_TOKEN")

for eco in ["generic", "npm", "pypi"]:          # pick your ecosystems
    for kind in ["dns", "urls"]:
        bundle = requests.get(
            f"https://vulnetix.com/malscan-stix/{eco}/{kind}.stix.json",
            timeout=60,
        ).text
        api.stix2.import_bundle_from_json(bundle, update=True)

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →