Feed the free Vulnetix Malscan threat intelligence into IBM QRadar: extract domains and IPs from the per-ecosystem STIX 2.1 bundles and bulk-load them into reference sets that your rules and searches test against.
The feeds
Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.
Wire the feeds into IBM QRadar
QRadar rules test against reference sets, so this guide extracts the indicator values from the STIX bundles with jq and pushes them through the reference_data bulk-load API. Create the sets once (ALN for domains, IP for addresses), then let cron keep them fresh.
Extract + bulk-load (cron every 15 minutes)
#!/bin/sh
# Domains → reference set VulnetixMalscanDomains (type ALN)
curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \
| jq -r '.objects[] | select(.type == "indicator") | .pattern' \
| grep -oP "domain-name:value = '\K[^']+" | sort -u \
| jq -R -s -c 'split("\n") | map(select(length > 0))' \
| curl -X POST "https://qradar.example.com/api/reference_data/sets/bulk_load/VulnetixMalscanDomains" \
-H "SEC: $QRADAR_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @-
Verify before you ingest
curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1) LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1) [ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"
Where the indicators come from
Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.
All STIX feed integrations → · The campaigns behind the feeds →