Skip to content

Threat Intel Platform Integrations

Automate threat intelligence ingestion from vspam.org into your TIP. JSON, CSV, and plain-text feeds are public; STIX and MISP require Pro access; TAXII requires Enterprise access.

Recommended Integration Method

TAXII 2.1 (preferred)

Standard protocol supported by OpenCTI, MISP, Cortex XSOAR, and most TIPs. Requires authenticated Enterprise access for full TAXII collection support.

https://api.vspam.org/taxii2/

REST API Feeds

JSON, CSV, and plain-text formats are public. STIX 2.1 and MISP require an authenticated Pro-tier key via X-API-Key or Bearer auth.

https://api.vspam.org/api/v1/feeds/*

OpenCTI

OpenCTI natively supports TAXII 2.1 and STIX 2.1, making it the easiest integration path for vspam.org feeds.

  1. Navigate to Data → Connectors → Add Connector
  2. Select TAXII 2.1 connector type
  3. Configure the vspam.org TAXII endpoint and polling interval
  4. Map confidence levels to your internal scoring (vspam trust tiers → OpenCTI confidence)
# OpenCTI TAXII 2.1 Connector Configuration
# docker-compose.yml (add to connectors section)
connector-vspam:
  image: opencti/connector-taxii2:latest
  environment:
    - OPENCTI_URL=http://opencti:8080
    - OPENCTI_TOKEN=<OPENCTI_ADMIN_TOKEN>
    - CONNECTOR_ID=vspam-taxii
    - CONNECTOR_NAME=vspam.org
    - CONNECTOR_SCOPE=indicator,observable
    - CONNECTOR_CONFIDENCE_LEVEL=70
    - CONNECTOR_LOG_LEVEL=info
    - TAXII2_DISCOVERY_URL=https://api.vspam.org/taxii2/
    - TAXII2_COLLECTION=confirmed-iocs
    - TAXII2_INITIAL_HISTORY=30    # days of history on first import
    - TAXII2_INTERVAL=900           # poll every 15 minutes
  restart: always

MISP

Import vspam.org IOCs into MISP using the built-in feed system or the MISP-format feed endpoint.

  1. Go to Sync Actions → List Feeds → Add Feed
  2. Configure as a MISP-format or freetext feed
  3. Set the pull frequency and distribution level
  4. Enable caching for offline lookups
# MISP Feed Configuration (via web UI or API)
# Option A: MISP-format feed (recommended)
{
  "Feed": {
    "name": "vspam.org - Phishing IOCs",
    "provider": "vspam.org",
    "url": "https://api.vspam.org/api/v1/feeds/misp",
    "source_format": "misp",
    "input_source": "network",
    "headers": "X-API-Key: <KEY>",
    "enabled": true,
    "publish": false,
    "delta_merge": true,
    "distribution": "3",
    "caching_enabled": true
  }
}

# Option B: Freetext feed (plain-text IOC list)
# URL: https://api.vspam.org/api/v1/feeds/txt
# Source format: freetext
# Headers: X-API-Key: <KEY>

# CLI: Pull feed via PyMISP
from pymisp import PyMISP
misp = PyMISP("https://misp.internal", "<MISP_KEY>")
misp.fetch_feed(feed_id=<VSPAM_FEED_ID>)
misp.cache_all_feeds()

Cortex XSOAR

Use the TAXII 2.1 integration or a custom feed integration to ingest vspam.org indicators into Cortex XSOAR.

  1. Go to Settings → Integrations → search for "TAXII 2"
  2. Add a new TAXII Feed instance with the vspam.org endpoint
  3. Configure indicator mapping and expiration policies
  4. Create a playbook to auto-enrich incidents with vspam.org data
# Cortex XSOAR — TAXII 2 Feed Integration
# Settings → Integrations → TAXII 2 Feed

# Instance Configuration:
#   Name: vspam.org Threat Feed
#   Discovery Service: https://api.vspam.org/taxii2/
#   Collection: confirmed-iocs
#   Fetch interval: 15 minutes
#   First fetch time: 30 days ago
#   Indicator Reputation: Suspicious
#   Traffic Light Protocol: AMBER

# Playbook: Auto-enrich with vspam.org
# Trigger: New incident
# Steps:
#   1. Extract indicators from incident
#   2. !ip ip=<indicator> using=vspam.org
#   3. !domain domain=<indicator> using=vspam.org
#   4. Set severity based on match confidence

# Custom Feed Integration (alternative — JSON feed)
# Use the Generic Feed integration:
#   URL: https://api.vspam.org/api/v1/feeds/json
#   Headers: X-API-Key: <KEY>
#   Feed Type: JSON
#   JMESPath: iocs[].{value: ioc_value, type: ioc_type}

TheHive / Cortex

Feed vspam.org indicators into TheHive for case management and Cortex for automated analysis.

  1. Configure a Cortex analyzer for vspam.org API lookups
  2. Set up a feed ingestion job using TheHive4py or a cron-based import
  3. Create alert templates that trigger on vspam.org indicator matches
# Cortex Analyzer — vspam.org IOC lookup
# /opt/cortex/analyzers/vspam/vspam_analyzer.py
import requests

def run(observable):
    ioc_type = observable["dataType"]  # ip, domain, url, mail
    value = observable["data"]
    if ioc_type == "ip":
        r = requests.get(
            "https://api.vspam.org/api/v1/rbl/check",
            params={"ip": value},
            headers={"X-API-Key": "<KEY>"}
        )
        listed = r.json().get("data", {}).get("listed", False)
    else:
        lookup_type = "asn" if ioc_type == "asn" else "domain"
        r = requests.get(
            "https://api.vspam.org/api/v1/public/operator-lookup",
            params={"type": lookup_type, "value": value},
            headers={"X-API-Key": "<KEY>"}
        )
        listed = r.json().get("data", {}).get("listed", False)
    return {
        "success": True,
        "full": r.json(),
        "summary": {
            "taxonomies": [{
                "namespace": "vspam",
                "predicate": "status",
                "value": "malicious" if listed else "clean",
                "level": "malicious" if listed else "safe"
            }]
        }
    }

# TheHive feed import via cron
# */15 * * * * curl -sH "X-API-Key: <KEY>" \
#   https://api.vspam.org/api/v1/feeds/json | \
#   python3 /opt/thehive/scripts/import-vspam-iocs.py

For SIEM ingestion (Splunk, Elastic, Wazuh, QRadar), see the SIEM Integrations guide. Full API reference at API Documentation.