soc operations

Building Threat Intelligence Feed Integration

Builds automated threat intelligence feed integration pipelines connecting STIX/TAXII feeds, open-source threat intel, and commercial TI platforms into SIEM and security tools for real-time IOC matching and alerting. Use when SOC teams need to operationalize threat intelligence by automating feed ingestion, normalization, scoring, and distribution to detection systems.

feedsiocmispsiem-integrationsocstixtaxiithreat-intelligence
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • SOC teams need automated ingestion of threat intelligence feeds into SIEM platforms
  • Multiple TI sources require normalization into a common format (STIX 2.1)
  • Detection systems need real-time IOC matching against network and endpoint telemetry
  • TI feed quality assessment and deduplication processes need to be established

Do not use for manual IOC lookup — use dedicated enrichment tools (VirusTotal, AbuseIPDB) for ad-hoc queries.

Prerequisites

  • MISP instance or Threat Intelligence Platform (TIP) for feed aggregation
  • STIX/TAXII client library (taxii2-client, stix2 Python packages)
  • SIEM platform (Splunk ES, Elastic Security, or Sentinel) with TI framework configured
  • API keys for commercial and open-source feeds (AlienVault OTX, Abuse.ch, CISA AIS)
  • Python 3.8+ for feed processing automation

Workflow

Step 1: Identify and Catalog Intelligence Sources

Map available feeds by type, format, and update frequency:

Feed Source Format IOC Types Update Freq Cost
AlienVault OTX STIX/JSON IP, Domain, Hash, URL Real-time Free
Abuse.ch URLhaus CSV/JSON URL, Domain Every 5 min Free
Abuse.ch MalwareBazaar JSON API File Hash Real-time Free
CISA AIS STIX/TAXII 2.1 All types Daily Free (US Gov)
CrowdStrike Intel STIX/JSON All types + Actor TTP Real-time Commercial
Mandiant Advantage STIX 2.1 All types + Reports Real-time Commercial

Step 2: Ingest STIX/TAXII Feeds

Connect to a TAXII 2.1 server and download indicators:

from taxii2client.v21 import Server, Collection
from stix2 import parse
 
# Connect to TAXII server (example: CISA AIS)
server = Server(
    "https://taxii.cisa.gov/taxii2/",
    user="your_username",
    password="your_password"
)
 
# List available collections
for api_root in server.api_roots:
    print(f"API Root: {api_root.title}")
    for collection in api_root.collections:
        print(f"  Collection: {collection.title} (ID: {collection.id})")
 
# Fetch indicators from a collection
collection = Collection(
    "https://taxii.cisa.gov/taxii2/collections/COLLECTION_ID/",
    user="your_username",
    password="your_password"
)
 
# Get indicators added in last 24 hours
from datetime import datetime, timedelta
added_after = (datetime.utcnow() - timedelta(days=1)).strftime("%Y-%m-%dT%H:%M:%S.000Z")
 
response = collection.get_objects(added_after=added_after, type=["indicator"])
for obj in response.get("objects", []):
    indicator = parse(obj)
    print(f"Type: {indicator.type}")
    print(f"Pattern: {indicator.pattern}")
    print(f"Valid Until: {indicator.valid_until}")
    print(f"Confidence: {indicator.confidence}")
    print("---")

Step 3: Ingest Open-Source Feeds

Abuse.ch URLhaus Feed:

import requests
import csv
from io import StringIO
 
# Download URLhaus recent URLs
response = requests.get("https://urlhaus.abuse.ch/downloads/csv_recent/")
reader = csv.reader(StringIO(response.text), delimiter=',')
 
indicators = []
for row in reader:
    if row[0].startswith("#"):
        continue
    indicators.append({
        "id": row[0],
        "dateadded": row[1],
        "url": row[2],
        "url_status": row[3],
        "threat": row[5],
        "tags": row[6]
    })
 
print(f"Ingested {len(indicators)} URLs from URLhaus")
 
# Filter for active threats only
active = [i for i in indicators if i["url_status"] == "online"]
print(f"Active threats: {len(active)}")

AlienVault OTX Pulse Feed:

from OTXv2 import OTXv2, IndicatorTypes
 
otx = OTXv2("YOUR_OTX_API_KEY")
 
# Get subscribed pulses (last 24 hours)
pulses = otx.getall(modified_since="2024-03-14T00:00:00")
 
for pulse in pulses:
    print(f"Pulse: {pulse['name']}")
    print(f"Tags: {pulse['tags']}")
    for indicator in pulse["indicators"]:
        print(f"  IOC: {indicator['indicator']} ({indicator['type']})")

Abuse.ch Feodo Tracker (C2 IPs):

response = requests.get("https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json")
c2_data = response.json()
 
for entry in c2_data:
    print(f"IP: {entry['ip_address']}:{entry['port']}")
    print(f"Malware: {entry['malware']}")
    print(f"First Seen: {entry['first_seen']}")
    print(f"Last Online: {entry['last_online']}")

Step 4: Normalize and Deduplicate

Convert all feeds to STIX 2.1 format for standardization:

from stix2 import Indicator, Bundle
import hashlib
 
def create_stix_indicator(ioc_value, ioc_type, source, confidence=50):
    """Convert raw IOC to STIX 2.1 indicator"""
    pattern_map = {
        "ipv4": f"[ipv4-addr:value = '{ioc_value}']",
        "domain": f"[domain-name:value = '{ioc_value}']",
        "url": f"[url:value = '{ioc_value}']",
        "sha256": f"[file:hashes.'SHA-256' = '{ioc_value}']",
        "md5": f"[file:hashes.MD5 = '{ioc_value}']",
    }
 
    return Indicator(
        name=f"{ioc_type}: {ioc_value}",
        pattern=pattern_map[ioc_type],
        pattern_type="stix",
        valid_from="2024-03-15T00:00:00Z",
        confidence=confidence,
        labels=[source],
        custom_properties={"x_source_feed": source}
    )
 
# Deduplicate across sources
seen_iocs = set()
unique_indicators = []
 
for ioc in all_collected_iocs:
    ioc_hash = hashlib.sha256(f"{ioc['type']}:{ioc['value']}".encode()).hexdigest()
    if ioc_hash not in seen_iocs:
        seen_iocs.add(ioc_hash)
        unique_indicators.append(
            create_stix_indicator(ioc["value"], ioc["type"], ioc["source"])
        )
 
bundle = Bundle(objects=unique_indicators)
print(f"Unique indicators: {len(unique_indicators)}")

Step 5: Push to SIEM Threat Intelligence Framework

Push to Splunk ES Threat Intelligence:

import requests
 
splunk_url = "https://splunk.company.com:8089"
headers = {"Authorization": f"Bearer {splunk_token}"}
 
for indicator in unique_indicators:
    # Extract IOC value from STIX pattern
    ioc_value = indicator.pattern.split("'")[1]
 
    # Upload to Splunk ES threat intel collection
    data = {
        "ip": ioc_value,
        "description": indicator.name,
        "weight": indicator.confidence // 10,
        "threat_key": indicator.id,
        "source_feed": indicator.get("x_source_feed", "unknown")
    }
 
    requests.post(
        f"{splunk_url}/services/data/threat_intel/item/ip_intel",
        headers=headers, data=data,
        verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true",  # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
    )

Push to MISP for centralized management:

from pymisp import PyMISP, MISPEvent, MISPAttribute
 
misp = PyMISP("https://misp.company.com", "YOUR_MISP_API_KEY")
 
# Create event for feed batch
event = MISPEvent()
event.info = f"TI Feed Import - {datetime.now().strftime('%Y-%m-%d')}"
event.threat_level_id = 2  # Medium
event.analysis = 2  # Completed
 
# Add indicators as attributes
for ioc in unique_indicators:
    attr = MISPAttribute()
    attr.type = "ip-dst" if "ipv4" in ioc.pattern else "domain"
    attr.value = ioc.pattern.split("'")[1]
    attr.to_ids = True
    attr.comment = f"Source: {ioc.get('x_source_feed', 'mixed')}"
    event.add_attribute(**attr)
 
result = misp.add_event(event)
print(f"MISP Event created: {result['Event']['id']}")

Step 6: Monitor Feed Health and Quality

Track feed effectiveness metrics:

index=threat_intel sourcetype="threat_intel_manager"
| stats count AS total_iocs,
        dc(threat_key) AS unique_iocs,
        dc(source_feed) AS feed_count
  by source_feed
| join source_feed [
    search index=notable source="Threat Intelligence"
    | stats count AS matches by source_feed
  ]
| eval match_rate = round(matches / unique_iocs * 100, 2)
| sort - match_rate
| table source_feed, unique_iocs, matches, match_rate

Key Concepts

Term Definition
STIX 2.1 Structured Threat Information Expression — standardized JSON format for sharing threat intelligence objects
TAXII Trusted Automated eXchange of Indicator Information — transport protocol for sharing STIX data via REST API
TIP Threat Intelligence Platform — centralized system for aggregating, scoring, and distributing threat intelligence
IOC Scoring Process of assigning confidence values to indicators based on source reliability and corroboration
Feed Deduplication Removing duplicate IOCs across multiple sources while preserving multi-source attribution
IOC Expiration Time-to-live policy removing aged indicators (IP: 30 days, Domain: 90 days, Hash: 1 year)

Tools & Systems

  • MISP: Open-source threat intelligence platform for feed aggregation, correlation, and sharing
  • AlienVault OTX: Free threat intelligence sharing platform with community pulse feeds
  • Abuse.ch: Suite of free threat feeds (URLhaus, MalwareBazaar, Feodo Tracker, ThreatFox)
  • OpenCTI: Open-source cyber threat intelligence platform supporting STIX 2.1 native storage
  • TAXII2 Client: Python library for connecting to STIX/TAXII 2.1 servers for automated indicator retrieval

Common Scenarios

  • New Feed Onboarding: Evaluate feed quality, map fields to STIX, configure automated ingestion pipeline
  • Multi-SIEM Distribution: Push normalized IOCs from MISP to Splunk, Elastic, and Sentinel simultaneously
  • False Positive Reduction: Score IOCs by source count and age, expire stale indicators automatically
  • Feed Quality Audit: Compare detection match rates across feeds to identify highest-value sources
  • Incident IOC Sharing: Package investigation IOCs as STIX bundle and share with ISACs via TAXII

Output Format

THREAT INTEL FEED STATUS — Daily Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Date:         2024-03-15
Total IOCs:   45,892 active indicators
 
Feed Health:
  Feed                  IOCs    Matches  Match Rate  Status
  Abuse.ch URLhaus      12,340  47       0.38%       HEALTHY
  AlienVault OTX        18,567  23       0.12%       HEALTHY
  Abuse.ch Feodo        1,203   12       1.00%       HEALTHY
  CISA AIS              8,945   8        0.09%       HEALTHY
  CrowdStrike Intel     4,837   31       0.64%       HEALTHY
 
Actions Today:
  New IOCs ingested:    1,247
  IOCs expired:         892
  Duplicates removed:   156
  SIEM matches:         121 notable events generated
  False positives:      3 (CDN IPs removed from feed)
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.1 KB

API Reference: Threat Intelligence Feed Integration Agent

Overview

Ingests threat intelligence from TAXII 2.1 servers, Abuse.ch URLhaus, and Feodo Tracker. Normalizes all indicators to STIX 2.1 format, deduplicates, and exports as a STIX bundle.

Dependencies

Package Version Purpose
requests >=2.28 HTTP API calls
taxii2-client >=2.3 TAXII 2.1 server communication
stix2 >=3.0 STIX 2.1 object creation and serialization

CLI Usage

# Ingest from multiple sources
python agent.py --urlhaus --feodo --output ti_bundle.json
 
# Ingest from TAXII feed
python agent.py --taxii-url https://taxii.example.com/taxii2/ \
  --taxii-collection https://taxii.example.com/taxii2/collections/abc/ \
  --taxii-user user --taxii-pass pass

Key Functions

ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back)

Connects to a TAXII 2.1 collection and retrieves indicators added within the specified time window.

ingest_urlhaus_feed()

Fetches recent malicious URLs from the URLhaus API (https://urlhaus-api.abuse.ch/v1/urls/recent/).

ingest_feodotracker()

Downloads the Feodo Tracker recommended C2 IP blocklist in JSON format.

normalize_to_stix(indicators)

Converts raw indicators to STIX 2.1 Indicator objects with proper patterns for ipv4, domain, url, and sha256 types.

deduplicate(indicators)

Removes duplicate indicators across feeds using SHA-256 hash of type:value.

export_stix_bundle(stix_objects, output_path)

Serializes STIX objects into a Bundle and writes to a JSON file.

push_to_splunk_ti(splunk_url, session_key, indicators)

Pushes indicators to the Splunk ES threat intelligence framework via REST API.

External APIs Used

API Endpoint Auth Purpose
TAXII 2.1 Configurable Basic auth STIX indicator ingestion
URLhaus https://urlhaus-api.abuse.ch/v1/ None Malicious URL feed
Feodo Tracker https://feodotracker.abuse.ch/downloads/ None C2 IP blocklist
Splunk REST /services/data/threat_intel/item/ip_intel Session key TI push

Scripts 1

agent.py6.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Threat Intelligence Feed Integration Agent - Ingests STIX/TAXII and open-source TI feeds."""

import json
import logging
import os
import argparse
import hashlib
from datetime import datetime, timedelta

import requests
from taxii2client.v21 import Collection
from stix2 import Indicator, Bundle, parse

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)


def ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back=24):
    """Ingest indicators from a TAXII 2.1 server collection."""
    added_after = (datetime.utcnow() - timedelta(hours=hours_back)).strftime(
        "%Y-%m-%dT%H:%M:%S.000Z"
    )
    collection = Collection(collection_url, user=username, password=password)
    response = collection.get_objects(added_after=added_after, type=["indicator"])
    indicators = []
    for obj in response.get("objects", []):
        indicator = parse(obj)
        indicators.append({
            "id": str(indicator.id),
            "pattern": indicator.pattern,
            "valid_from": str(indicator.valid_from),
            "source": "taxii",
        })
    logger.info("Ingested %d indicators from TAXII feed", len(indicators))
    return indicators


def ingest_urlhaus_feed():
    """Ingest recent malicious URLs from Abuse.ch URLhaus."""
    url = "https://urlhaus-api.abuse.ch/v1/urls/recent/limit/100/"
    resp = requests.post(url, timeout=30)
    data = resp.json()
    indicators = []
    for entry in data.get("urls", []):
        indicators.append({
            "type": "url",
            "value": entry["url"],
            "threat": entry.get("threat", "unknown"),
            "status": entry.get("url_status", "unknown"),
            "tags": entry.get("tags", []),
            "source": "urlhaus",
        })
    logger.info("Ingested %d URLs from URLhaus", len(indicators))
    return indicators


def ingest_feodotracker():
    """Ingest C2 IP blocklist from Abuse.ch Feodo Tracker."""
    url = "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json"
    resp = requests.get(url, timeout=30)
    indicators = []
    for entry in resp.json():
        indicators.append({
            "type": "ipv4",
            "value": entry["ip_address"],
            "port": entry.get("port"),
            "malware": entry.get("malware", "unknown"),
            "first_seen": entry.get("first_seen"),
            "source": "feodotracker",
        })
    logger.info("Ingested %d C2 IPs from Feodo Tracker", len(indicators))
    return indicators


def normalize_to_stix(indicators):
    """Convert raw indicators to STIX 2.1 Indicator objects."""
    pattern_map = {
        "ipv4": lambda v: f"[ipv4-addr:value = '{v}']",
        "domain": lambda v: f"[domain-name:value = '{v}']",
        "url": lambda v: f"[url:value = '{v}']",
        "sha256": lambda v: f"[file:hashes.'SHA-256' = '{v}']",
    }
    stix_objects = []
    for ioc in indicators:
        ioc_type = ioc.get("type", "url")
        pattern_fn = pattern_map.get(ioc_type, pattern_map["url"])
        stix_ind = Indicator(
            name=f"{ioc_type}: {ioc['value']}",
            pattern=pattern_fn(ioc["value"]),
            pattern_type="stix",
            valid_from=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
            labels=[ioc.get("source", "unknown")],
        )
        stix_objects.append(stix_ind)
    logger.info("Normalized %d indicators to STIX 2.1", len(stix_objects))
    return stix_objects


def deduplicate(indicators):
    """Deduplicate indicators across feeds by type:value hash."""
    seen = set()
    unique = []
    for ioc in indicators:
        key = hashlib.sha256(f"{ioc.get('type', '')}:{ioc['value']}".encode()).hexdigest()
        if key not in seen:
            seen.add(key)
            unique.append(ioc)
    logger.info("Deduplicated: %d -> %d unique indicators", len(indicators), len(unique))
    return unique


def export_stix_bundle(stix_objects, output_path):
    """Export STIX 2.1 bundle to JSON file."""
    bundle = Bundle(objects=stix_objects)
    with open(output_path, "w") as f:
        f.write(bundle.serialize(pretty=True))
    logger.info("STIX bundle exported to %s (%d indicators)", output_path, len(stix_objects))


def push_to_splunk_ti(splunk_url, session_key, indicators):
    """Push indicators to Splunk ES threat intelligence framework."""
    headers = {"Authorization": f"Splunk {session_key}"}
    pushed = 0
    for ioc in indicators:
        data = {"ip": ioc["value"], "description": f"{ioc.get('source')}: {ioc['value']}"}
        resp = requests.post(
            f"{splunk_url}/services/data/threat_intel/item/ip_intel",
            headers=headers, data=data,
            verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true",  # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
            timeout=30,
        )
        if resp.status_code == 201:
            pushed += 1
    logger.info("Pushed %d indicators to Splunk TI", pushed)


def main():
    parser = argparse.ArgumentParser(description="Threat Intelligence Feed Integration Agent")
    parser.add_argument("--taxii-url", help="TAXII 2.1 server URL")
    parser.add_argument("--taxii-collection", help="TAXII collection URL")
    parser.add_argument("--taxii-user", help="TAXII username")
    parser.add_argument("--taxii-pass", help="TAXII password")
    parser.add_argument("--urlhaus", action="store_true", help="Ingest URLhaus feed")
    parser.add_argument("--feodo", action="store_true", help="Ingest Feodo Tracker feed")
    parser.add_argument("--output", default="ti_bundle.json", help="STIX bundle output")
    args = parser.parse_args()

    all_indicators = []

    if args.taxii_url and args.taxii_collection:
        taxii_iocs = ingest_taxii_feed(
            args.taxii_url, args.taxii_collection, args.taxii_user, args.taxii_pass
        )
        all_indicators.extend(taxii_iocs)

    if args.urlhaus:
        all_indicators.extend(ingest_urlhaus_feed())

    if args.feodo:
        all_indicators.extend(ingest_feodotracker())

    unique = deduplicate(all_indicators)
    stix_objects = normalize_to_stix(unique)
    export_stix_bundle(stix_objects, args.output)
    logger.info("Feed integration complete: %d total indicators", len(unique))


if __name__ == "__main__":
    main()
Keep exploring