Skip to content

Threat Intel Platform Integrations

Automate threat intelligence ingestion from vspam.org into your TIP. All platforms support either TAXII 2.1 (no auth) or authenticated API feeds.

Recommended Integration Method

TAXII 2.1 (preferred)

Standard protocol supported by OpenCTI, MISP, Cortex XSOAR, and most TIPs. No authentication required; rate-limited to prevent abuse.

https://api.vspam.org/taxii2/

REST API Feeds

STIX 2.1, MISP, JSON, CSV, and plain-text formats. Requires API key via X-API-Key header. Higher rate limits.

https://api.vspam.org/api/v1/feeds/*

OpenCTI

OpenCTI natively supports TAXII 2.1 and STIX 2.1, making it the easiest integration path for vspam.org feeds.

  1. Navigate to Data → Connectors → Add Connector
  2. Select TAXII 2.1 connector type
  3. Configure the vspam.org TAXII endpoint and polling interval
  4. Map confidence levels to your internal scoring (vspam trust tiers → OpenCTI confidence)
# OpenCTI TAXII 2.1 Connector Configuration
# docker-compose.yml (add to connectors section)
connector-vspam:
  image: opencti/connector-taxii2:latest
  environment:
    - OPENCTI_URL=http://opencti:8080
    - OPENCTI_TOKEN=<OPENCTI_ADMIN_TOKEN>
    - CONNECTOR_ID=vspam-taxii
    - CONNECTOR_NAME=vspam.org
    - CONNECTOR_SCOPE=indicator,observable
    - CONNECTOR_CONFIDENCE_LEVEL=70
    - CONNECTOR_LOG_LEVEL=info
    - TAXII2_DISCOVERY_URL=https://api.vspam.org/taxii2/
    - TAXII2_COLLECTION=confirmed-iocs
    - TAXII2_INITIAL_HISTORY=30    # days of history on first import
    - TAXII2_INTERVAL=900           # poll every 15 minutes
  restart: always

MISP

Import vspam.org IOCs into MISP using the built-in feed system or the MISP-format feed endpoint.

  1. Go to Sync Actions → List Feeds → Add Feed
  2. Configure as a MISP-format or freetext feed
  3. Set the pull frequency and distribution level
  4. Enable caching for offline lookups
# MISP Feed Configuration (via web UI or API)
# Option A: MISP-format feed (recommended)
{
  "Feed": {
    "name": "vspam.org - Phishing IOCs",
    "provider": "vspam.org",
    "url": "https://api.vspam.org/api/v1/feeds/misp",
    "source_format": "misp",
    "input_source": "network",
    "headers": "X-API-Key: <KEY>",
    "enabled": true,
    "publish": false,
    "delta_merge": true,
    "distribution": "3",
    "caching_enabled": true
  }
}

# Option B: Freetext feed (plain-text IOC list)
# URL: https://api.vspam.org/api/v1/feeds/txt
# Source format: freetext
# Headers: X-API-Key: <KEY>

# CLI: Pull feed via PyMISP
from pymisp import PyMISP
misp = PyMISP("https://misp.internal", "<MISP_KEY>")
misp.fetch_feed(feed_id=<VSPAM_FEED_ID>)
misp.cache_all_feeds()

Cortex XSOAR

Use the TAXII 2.1 integration or a custom feed integration to ingest vspam.org indicators into Cortex XSOAR.

  1. Go to Settings → Integrations → search for "TAXII 2"
  2. Add a new TAXII Feed instance with the vspam.org endpoint
  3. Configure indicator mapping and expiration policies
  4. Create a playbook to auto-enrich incidents with vspam.org data
# Cortex XSOAR — TAXII 2 Feed Integration
# Settings → Integrations → TAXII 2 Feed

# Instance Configuration:
#   Name: vspam.org Threat Feed
#   Discovery Service: https://api.vspam.org/taxii2/
#   Collection: confirmed-iocs
#   Fetch interval: 15 minutes
#   First fetch time: 30 days ago
#   Indicator Reputation: Suspicious
#   Traffic Light Protocol: AMBER

# Playbook: Auto-enrich with vspam.org
# Trigger: New incident
# Steps:
#   1. Extract indicators from incident
#   2. !ip ip=<indicator> using=vspam.org
#   3. !domain domain=<indicator> using=vspam.org
#   4. Set severity based on match confidence

# Custom Feed Integration (alternative — JSON feed)
# Use the Generic Feed integration:
#   URL: https://api.vspam.org/api/v1/feeds/json
#   Headers: X-API-Key: <KEY>
#   Feed Type: JSON
#   JMESPath: iocs[].{value: ioc_value, type: ioc_type}

TheHive / Cortex

Feed vspam.org indicators into TheHive for case management and Cortex for automated analysis.

  1. Configure a Cortex analyzer for vspam.org API lookups
  2. Set up a feed ingestion job using TheHive4py or a cron-based import
  3. Create alert templates that trigger on vspam.org indicator matches
# Cortex Analyzer — vspam.org IOC lookup
# /opt/cortex/analyzers/vspam/vspam_analyzer.py
import requests

def run(observable):
    ioc_type = observable["dataType"]  # ip, domain, url, mail
    value = observable["data"]
    r = requests.get(
        "https://api.vspam.org/api/v1/rbl/check",
        params={"ip": value} if ioc_type == "ip"
        else {"q": value},
        headers={"X-API-Key": "<KEY>"}
    )
    return {
        "success": True,
        "full": r.json(),
        "summary": {
            "taxonomies": [{
                "namespace": "vspam",
                "predicate": "status",
                "value": "malicious" if r.json().get("listed") else "clean",
                "level": "malicious" if r.json().get("listed") else "safe"
            }]
        }
    }

# TheHive feed import via cron
# */15 * * * * curl -sH "X-API-Key: <KEY>" \
#   https://api.vspam.org/api/v1/feeds/json | \
#   python3 /opt/thehive/scripts/import-vspam-iocs.py

For SIEM ingestion (Splunk, Elastic, Wazuh, QRadar), see the SIEM Integrations guide. Full API reference at API Documentation.