DigitalSide Threat Intel

DigitalSide Threat-Intel TAXII2 Server

TAXII 201 Online TAXII Reports »

MISP TAXII2 server details

Instructions for TAXII2 server implementation of the project. The repository contains the latest 24 hours reports shared in the context of the project.

  • Discovery URL: https://osint.digitalside.it/taxii2/
  • Username: guest
  • Password: guest
  • Authentication: basic access
  • TAXII version: TAXII2.1

Discovery is the best way to know what the TAXII2 server is sharing. Here is an example output showing the available endpoints and collections.

							
=============================
DigitalSide.IT TAXII2 Server
=============================
This repository cointains a set of Open Source Cyber Threat Intellegence information, monstly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new wayes to hunt, analyze, collect and share relevants sets of IoCs to be used by SOC/CSIRT/CERT with minimun effort. For more information please visit OSINT.digitalside.it website.

Discovery URL: https://osint.digitalside.it/taxii2

Available API(s): 1

ROOT API: https://osint.digitalside.it/taxii2reports/
	  Collection: OSINT.DigitalSide.it Malware Reports
	  Description: Set of Open Source Cyber Threat Intellegence information, monstly based on malware analysis and compromised URLs, IPs and domains, related to OSINT.digitalside.it project.
	  ID: e98d6c94-fbce-11ed-b5dd-3bad2ffe9ebf
	  Media type: application/stix+json;version=2.1
=======================================

	  Collection: OSINT.DigitalSide.it Network IoCs Collected (24h)
	  Description: The collection contains IPv4 addresses collected over the last 24 hours by OSINT.digitalside.it. The list is released without any warranty to the end users.
	  ID: c1f43330-103b-11ee-9ee3-4b022e286589
	  Media type: application/stix+json;version=2.1
=======================================

MISP STIX objects shared via TAXII2

STIX objects are shared using STIX 2.1 specifications by OASIS. Following a list of objects usable in TAXII filters.

  • identity
  • marking-definition
  • report
  • malware
  • file
  • observed-data
  • indicator
  • relationship

MISPHow to and examples

Since TAXII2.1 is basically a RESTful API there are no mandatory requirements to interact with it. Anyway, follows the instructions using official supported and developed STIX/TAXII client tools by OASIS.

$ pip3 install stix2
$ pip3 install taxii2-client
Example 1: get TAXII server infos and collections (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from taxii2client import Server

discovery="https://osint.digitalside.it/taxii2"
username="guest"
password="guest"

server = Server(discovery, user=username, password=password)
print("=============================")	
print(server.title)
print("=============================")
print(server.description+"\n")
print("Discovery URL: "+discovery+"\n")

print("Available API(s): "+str(len(server.api_roots))+"\n")

for api in server.api_roots:
    print("ROOT API: "+api.url)
    
    for coll in api.collections:
        print("\t  Collection: "+coll.title)
        print("\t  Description: "+coll.description)
        print("\t  ID: "+coll.id)
        
        for media in coll.media_types:
            print("\t  Media type: "+media)
        
        print("=======================================\n")

print("For info please contact: "+server.contact+"\n")
Example 2: get the collection's manifest (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import json
from taxii2client import Server

discovery="https://osint.digitalside.it/taxii2"
username="guest"
password="guest"

server = Server(discovery, user=username, password=password)

api_root = server.api_roots[0]
collection = api_root.collections[0]
test = collection.get_manifest()
print(json.dumps(test, indent=4, sort_keys=True))
Example 3: get collection's objects (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import json
from taxii2client import Server

discovery="https://osint.digitalside.it/taxii2"
username="guest"
password="guest"

server = Server(discovery, user=username, password=password)

api_root = server.api_roots[0]
collection = api_root.collections[0]
test = collection.get_objects()
print(json.dumps(test, indent=4, sort_keys=True))
Example 4: get collection's malware objects (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from taxii2client import Collection
from stix2 import TAXIICollectionSource, Filter


collection = Collection("https://osint.digitalside.it/taxii2reports/collections/e98d6c94-fbce-11ed-b5dd-3bad2ffe9ebf/", user="guest", password="guest")
tc_source = TAXIICollectionSource(collection)


f1 = Filter("type","=", "malware")

malwares = tc_source.query([f1])

for malware in malwares:
    print(malware)

print("===============================================")
print("Detected "+str(len(malwares))+" malware objects")
print("===============================================")
Example 5: get collection's domains list (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from taxii2client import Collection
from stix2 import TAXIICollectionSource, Filter


collection = Collection("https://osint.digitalside.it/taxii2reports/collections/c1f43330-103b-11ee-9ee3-4b022e286589/", user="guest", password="guest")
tc_source = TAXIICollectionSource(collection)


f1 = Filter("type","=", "indicator")
f2 = Filter("pattern","contains", "domain-name:value =")

domains = tc_source.query([f1, f2])

domainz = domains[0].pattern[1:-1].split("OR")

print("====================================================")
print("Detected "+str(len(domainz))+" domain-name objects")
print("====================================================")

for domain in domainz:
    print(domain.strip()[21:-1])
Example 6: get collection's IP(s) list (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from taxii2client import Collection
from stix2 import TAXIICollectionSource, Filter


collection = Collection("https://osint.digitalside.it/taxii2reports/collections/c1f43330-103b-11ee-9ee3-4b022e286589/", user="guest", password="guest")
tc_source = TAXIICollectionSource(collection)


f1 = Filter("type","=", "indicator")
f2 = Filter("pattern","contains", "ipv4-addr:value =")

ips = tc_source.query([f1, f2])

ipz = ips[0].pattern[1:-1].split("OR")

print("====================================================")
print("Detected "+str(len(ipz))+" ipv4-addr objects")
print("====================================================")

for ip in ipz:
    print(ip.strip()[19:-1])
Example 7: get collection's urls list (download)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from taxii2client import Collection
from stix2 import TAXIICollectionSource, Filter


collection = Collection("https://osint.digitalside.it/taxii2reports/collections/c1f43330-103b-11ee-9ee3-4b022e286589/", user="guest", password="guest")
tc_source = TAXIICollectionSource(collection)


f1 = Filter("type","=", "indicator")
f2 = Filter("pattern","contains", "url:value =")

urls = tc_source.query([f1, f2])

urlz = urls[0].pattern[1:-1].split("OR")

print("====================================================")
print("Detected "+str(len(urlz))+" url objects")
print("====================================================")


for url in urlz:
    print(url.strip()[13:-1])