BLACKSHIELD

Öffentlicher Leitfaden

Integrating Threat Intel Blocklists

Automate the deployment of Threat Intel indicators directly into your security stack, including AWS WAF, Egress Proxies, DNS sinkholes, and EDR systems. Zielgruppe: Security engineers, SOC analysts, and network administrators. Typische Einrichtungszeit: 5-10 minutes.

reference

Use this if

Automate the deployment of Threat Intel indicators directly into your security stack, including AWS WAF, Egress Proxies, DNS sinkholes, and EDR systems.

Audience
Security engineers, SOC analysts, and network administrators
Typical time
5-10 minutes

Bevor Sie beginnen

  • Create an ingestion API key in Settings → API Keys with at least read access to the Threat Intel blocklist.
  • Confirm your security tooling (WAF, DNS, EDR) has API or file-based ingestion capabilities.
  • Review the indicator types available in your tenant (IP, domain, SHA256) to decide which integrations to deploy first.

Guide walkthrough

Schritt 1

Deploying to AWS WAF

Fetch the IPv4 blocklist and pipe it dynamically into an AWS WAF IPSet to block malicious scanners automatically.

  • Generate an Ingestion API Key in Settings → API Keys.
  • Use the Boto3 Python snippet to `requests.get` the `/threat-intel/blocklist/export?indicator_type=ip`.
  • Transform the IPs into `address/32` CIDR notation.
  • Call `waf_client.update_ip_set()` to push the changes live.

What success looks like

Call `waf_client.update_ip_set()` to push the changes live.

Schritt 2

DNS Sinkholing with CoreDNS or Pi-hole

Use a bash script to fetch malicious domains and sinkhole them to prevent internal systems from resolving known malware or C2 infrastructure.

  • Fetch the domain export over the CSV endpoint: `/export?format=csv&indicator_type=domain`.
  • Parse each malicious domain and output `0.0.0.0 [domain]` into a `hosts` file.
  • Reload your DNS daemon (e.g. `pihole restartdns reload`).

What success looks like

Reload your DNS daemon (e.g. `pihole restartdns reload`).

Schritt 3

EDR Hash Ingestion

Export known malicious SHA256 hashes to import directly into your Endpoint Detection and Response platform (like CrowdStrike Falcon) to quarantine malware on execution.

  • Fetch the SHA256 export over the CSV endpoint.
  • Parse the payload to extract the hash and threat name.
  • Transform into the respective API payload format for your EDR.
  • Execute the request to sync the IOCs with your detection policies.

What success looks like

Execute the request to sync the IOCs with your detection policies.

Ausführen

aws_waf_update.py

python
import os
import boto3
import requests

def update_waf_ipset():
    api_key = os.environ.get("BLACKSHIELD_API_KEY")
    waf_client = boto3.client("wafv2", region_name="us-east-1")
    ip_set_id = os.environ.get("WAF_IPSET_ID")
    ip_set_name = os.environ.get("WAF_IPSET_NAME")

    # 1. Fetch latest IP indicators
    url = "https://api.blackshield.chaplau.com/api/v1/threat-intel/blocklist/export?format=txt&indicator_type=ip"
    res = requests.get(url, headers={"Authorization": f"Bearer {api_key}"})
    res.raise_for_status()

    addresses = []
    for ip in res.text.strip().split("\n"):
        if ip and not ip.startswith("#"):
            addresses.append(f"{ip}/32" if "/" not in ip else ip)

    # 2. Update the WAF IPSet
    ip_set = waf_client.get_ip_set(Name=ip_set_name, Scope="CLOUDFRONT", Id=ip_set_id)
    lock_token = ip_set["LockToken"]

    waf_client.update_ip_set(
        Name=ip_set_name,
        Scope="CLOUDFRONT",
        Id=ip_set_id,
        Addresses=addresses,
        LockToken=lock_token
    )
    print(f"Updated WAF IPSet {ip_set_name} with {len(addresses)} addresses.")

if __name__ == "__main__":
    update_waf_ipset()

dns_sinkhole.sh

bash
#!/bin/bash
# Generate a CoreDNS/Pi-Hole compatible hosts file from the domain export
export_url="https://api.blackshield.chaplau.com/api/v1/threat-intel/blocklist/export?format=csv&indicator_type=domain"

curl -s -X GET "$export_url" \
  -H "Authorization: Bearer $BLACKSHIELD_API_KEY" \
  > domains.csv

echo "# Threat Intel Sinkhole" > blocklist.hosts

tail -n +2 domains.csv | while IFS=',' read -r indicator type source severity threat_name
do
  if [ -n "$indicator" ]; then
    echo "0.0.0.0 $indicator" >> blocklist.hosts
  fi
done

edr_hash_sync.py

python
import os
import requests

def get_malicious_hashes():
    api_key = os.environ.get("BLACKSHIELD_API_KEY")
    url = "https://api.blackshield.chaplau.com/api/v1/threat-intel/blocklist/export?format=csv&indicator_type=sha256"

    response = requests.get(url, headers={"Authorization": f"Bearer {api_key}"})
    response.raise_for_status()

    ioc_payloads = []
    lines = response.text.strip().split("\n")[1:]

    for line in lines:
        if not line:
            continue
        parts = line.split(",")
        sha256 = parts[0]
        threat_name = parts[4] if len(parts) > 4 else "Unknown"

        ioc_payloads.append({
            "type": "sha256",
            "value": sha256,
            "policy": "detect",
            "description": f"BlackShield Threat Intel: {threat_name}"
        })

    return ioc_payloads

What success looks like

  • Your AWS WAF IPSet reflects the latest blocklist IPs and blocks known-malicious scanners.
  • DNS sinkhole hosts file reloads on schedule and internal clients can no longer resolve blocklisted domains.
  • EDR platform shows newly imported SHA256 IOCs with the correct threat labels from BlackShield.
Integrating Threat Intel Blocklists | BlackShield Docs