PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

How can I integrate STIX threat feeds into EventSentry's Threat Intel feature?

Article ID: 442
Category: Security
Applies to: 4.2.3
Updated: 2021-12-29

Starting with version 4.2.3, EventSentry supports custom threat feeds (black lists) in addition to the built-in threat feeds. EventSentry loads additional IP address from the following file:

%systemroot%\system32\eventsentry\temp\eventsentry_threatintel_custom.tmp

This file needs to contain at minimum one IPv4 address per line but supports up to 3 fields (delimited by a semicolon ;) in the following format:

IPAddress;ThreatConfidence;ThreatSource

Example file contents (all lines are valid):

12.13.14.15;100;Log4j
12.13.14.15;100
12.13.14.15

The file is parsed every 4 hours, when the built-in threat feeds are also updated. If you have a threat feed in the STIX XML format, then you can use the following VBScript to convert the XML file into a flat text file with one IP address per line. Simple edit the file paths in the VBscript (fileStixInput and fileEventSentryOutput) and schedule it with the task scheduler to run whenever the stix feed is updated.

Download stix.vbs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

Dim fileStixInput
Dim fileEventSentryOutput

fileStixInput = "C:\resources\stix\STIX_IP_Watchlist.xml"
fileEventSentryOutput = "C:\windows\system32\eventsentry\temp\eventsentry_threatintel_custom.tmp"

Dim oXML
Set oXML = CreateObject("Microsoft.XMLDOM")

Dim objFSO
Set objFSO=CreateObject("Scripting.FileSystemObject")

oXML.Load(fileStixInput)

Dim objFileEventSentryOutput
Set objFileEventSentryOutput = objFSO.CreateTextFile(fileEventSentryOutput, True)

For Each rootNodes In oXML.DocumentElement.ChildNodes
    If rootNodes.nodeName = "stix:Indicators" Then
        For Each nodeIndicator In rootNodes.ChildNodes

            Dim ignoreIteration
            ignoreIteration = False

            For Each indicatorElements In nodeIndicator.ChildNodes

                If indicatorElements.nodeName = "indicator:Type" And indicatorElements.text <> "IP Watchlist" Then
                    ignoreIteration = True
                End If

                If ignoreIteration <> True Then
                    If (indicatorElements.nodeName = "indicator:Observable") Then
                        For Each cyboxObject In indicatorElements.ChildNodes
                            For Each cyboxProperty In cyboxObject.ChildNodes
                                If (cyboxProperty.getAttribute("category") = "ipv4-addr") Then
                                    For Each addrObj In cyboxProperty.ChildNodes
                                        If addrObj.nodeName = "AddressObject:Address_Value" Then
                                            Dim ipAddresses
                                            ipAddresses = Split(addrObj.text, "##comma##")

                                            For Each ipAddr In ipAddresses
                                                objFileEventSentryOutput.Write ipAddr & vbCRLF
                                            Next
                                        End if
                                    Next
                                End If
                            Next
                        Next
                    End If
                End If
            Next
        Next
    End If
Next

objFileEventSentryOutput.Close

Support Resources

Knowledge Base Knowledge Base
Documentation Documentation
Screenshot Screencasts
Blog Blog

Contact Support

Phone 1-877-NETIKUS
Email support@netikus.net

Tags

blacklist threat detection threat feed

Try EventSentry on-premise

FREE 30-day evaluation

Download Now