STIX feed integration · SOAR

Tines — Malscan STIX Feed Integration

A four-action story: poll the manifest, fetch, dedupe, dispatch

About the feeds

Automate the free Vulnetix Malscan STIX 2.1 feeds with Tines: poll the feed manifest every 15 minutes, fetch changed bundles by checksum, deduplicate indicators, and dispatch them to your SIEM, EDR or firewall APIs downstream.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into Tines

The index.json manifest carries a sha256 per feed, so compare it against the previous run and only fetch bundles that changed. Everything downstream is standard Tines: an event per indicator, deduplicated, dispatched wherever your controls live.

Story outline (HTTP Request + Event Transform actions)

1. HTTP Request  - GET https://vulnetix.com/malscan-stix/index.json
     schedule: every 15 minutes
2. Trigger       - feeds[].sha256 != previous run (per feed)
3. HTTP Request  - GET the changed feed's url (dns/urls per ecosystem)
4. Event Transform - explode .objects, keep type == "indicator",
     deduplicate on .id
5. Dispatch      - HTTP Request to your SIEM / EDR / firewall API
     (e.g. Sentinel upload, QRadar bulk_load, custom blocklist)

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →