Mastodawn

MalwareLab Jun 20, 2025

Support for #STIX and #TAXII in #IntelMQ

For collecting and processing #threatintel feeds, #IntelMQ is a good tool. Simple to deploy and configure, used by several #CSIRT teams.
For long time, it was sufficient for me, however, with recent changes in #ESET #ThreatIntelligence feeds, I realized that IntelMQ lacks support for TAXII protocol and STIX language and objects...

After hours of studying the STIX/TAXII documentation, I decided to develop some basic support for collecting the feeds from TAXII servers and parsing the STIX indicators objects.
This way, IntelMQ can process not only the current #ETI feeds, but also some other sources.

The commits are currently waiting in pull request in IntelMQ GitHub:
https://github.com/certtools/intelmq/pull/2611

#cybersecurity #development #blueteam #cyberdefense #soc #siem

TAXII Collector bot and STIX Parser bot by laciKE · Pull Request #2611 · certtools/intelmq

As a bare minimum, TAXII Collector currently collects only the objects of type indicator. These objects contain information about indicators and the detection patterns, e.g. in stix, pcre, sigma, s...

GitHub

Antranig Vartanian

May 4, 2024

@aaronkaplan Thank you for the webinar yesterday, it was very informative and helpful! Just finished installing #IntelMQ on #FreeBSD and I'm loving it!

Creideiki Dec 9, 2020

My quest to replace myself with a very small shell script continues. This month's #security #automation adventure:
Firewall logs of outgoing traffic goes to #IntelMQ, which checks if the same MAC address sends a lot of suspicious traffic. If so, it looks up that MAC address in the DHCP logs in Splunk to find the user name, and calls a REST API on the WLAN controller to block that user from the network.

It's surprising, the number of computers that are running spam bots.