Support for #STIX and #TAXII in #IntelMQ

For collecting and processing #threatintel feeds, #IntelMQ is a good tool. Simple to deploy and configure, used by several #CSIRT teams.
For long time, it was sufficient for me, however, with recent changes in #ESET #ThreatIntelligence feeds, I realized that IntelMQ lacks support for TAXII protocol and STIX language and objects...

After hours of studying the STIX/TAXII documentation, I decided to develop some basic support for collecting the feeds from TAXII servers and parsing the STIX indicators objects.
This way, IntelMQ can process not only the current #ETI feeds, but also some other sources.

The commits are currently waiting in pull request in IntelMQ GitHub:
https://github.com/certtools/intelmq/pull/2611

#cybersecurity #development #blueteam #cyberdefense #soc #siem

@aaronkaplan Thank you for the webinar yesterday, it was very informative and helpful! Just finished installing #IntelMQ on #FreeBSD and I'm loving it!

My quest to replace myself with a very small shell script continues. This month's #security #automation adventure:
Firewall logs of outgoing traffic goes to #IntelMQ, which checks if the same MAC address sends a lot of suspicious traffic. If so, it looks up that MAC address in the DHCP logs in Splunk to find the user name, and calls a REST API on the WLAN controller to block that user from the network.

It's surprising, the number of computers that are running spam bots.