How do I set up Combine to export data to CRITs?

Edit the combine.cfg file with CRITs URL, username, API key, and campaign name as specified in the README. Ensure the campaign exists in CRITs first, and use the --type option with combine.py for export.

Combine vs MISP for threat intelligence?

Combine focuses on aggregating public feeds into CSV with optional enrichment, ideal for simple automation. MISP is a full-featured platform with a database, sharing capabilities, and GUI, better for community-driven threat intelligence and collaboration.

Does Combine support real-time data updates?

No, Combine is designed for batch processing of threat feeds, not real-time streaming. It runs as a script to collect and process data periodically, so it's not suitable for immediate alerting or live monitoring.

How to add custom threat feeds to Combine?

The README doesn't provide clear instructions; likely requires modifying the source code to integrate new feed parsers. This can be complex compared to tools with plugin architectures or configuration-based feed addition.

What are the requirements for using Combine's enrichment features?

You need API keys from Farsight DNSDB for host resolution and MaxMind GeoIP databases for ASN and country data. Configure these in combine.cfg, and ensure internet access for API calls, which adds external dependencies.

Is Combine scalable for large enterprises?

As a Python script, Combine may lack built-in scalability features like distributed processing or high-throughput handling. For enterprise-scale deployments, additional orchestration and optimization would be required.

Can Combine output data in formats other than CSV?

The README only mentions CSV and CRITs export via --type; other formats like JSON or STIX are not supported out-of-the-box. Users would need to modify the code or post-process CSV for different formats.

Open-Awesome

Combine

GPL-3.0Pythonv0.1.3

A tool to gather and enrich threat intelligence indicators from publicly available sources into a structured CSV format.

Visit Website GitHub

657 stars172 forks0 contributors

What is Combine?

Combine is a Python-based tool that aggregates threat intelligence indicators from publicly available sources into a structured CSV format. It automates the collection, processing, and enrichment of data like IP addresses and domains, helping security teams integrate external threat feeds into their analysis workflows.

Target Audience

Security analysts, threat intelligence teams, and cybersecurity professionals who need to automate the gathering and standardization of external threat data for monitoring and investigation.

Value Proposition

Combine simplifies threat intelligence aggregation by providing a unified, automated pipeline that outputs consistent, enriched data, reducing manual effort and improving integration with tools like CRITs.

Overview

Tool to gather Threat Intelligence indicators from publicly available sources

Use Cases

Best For

Automating the collection of threat indicators from multiple public feeds
Enriching IP and domain data with ASN and geolocation information
Exporting structured threat intelligence to CSV for analysis
Integrating external threat data into the CRITs platform
Standardizing threat intelligence data from disparate sources
Building a custom threat intelligence processing pipeline

Not Ideal For

Organizations needing real-time threat intelligence with low-latency alerting
Teams requiring a graphical user interface for interactive threat data exploration
Projects heavily reliant on private or proprietary threat feeds without public equivalents

Pros & Cons

Pros

Multi-source Aggregation

Pulls threat data from numerous publicly available intelligence feeds like OpenBL and AlienVault, automating collection from diverse sources into one pipeline.

Structured CSV Output

Exports data in a consistent schema with fields for entity, type, direction, source, notes, and date, ensuring standardized and analyzable threat intelligence.

Optional Data Enrichment

Augments indicators with ASN, country, and DNS information using MaxMind GeoIP and Farsight DNSDB, adding valuable context to raw threat data.

Modular Pipeline

Can be run as a single command or step-by-step via separate scripts (reaper, thresher, winnower, baler), offering flexibility in execution and debugging.

CRITs Integration

Supports direct export to the CRITs threat intelligence platform via API, with specific configuration for URL, username, and API key, facilitating seamless workflow integration.

Cons

External API Dependencies

Enrichment requires API keys from Farsight DNSDB and reliance on MaxMind databases, adding setup complexity, potential costs, and points of failure.

Limited Feed Customization

Primarily designed for predefined public feeds; adding custom or private sources likely requires code modifications, as the README doesn't mention extensibility options.

Basic Output Format

Outputs only in CSV format, lacking support for other common threat intelligence formats like STIX or JSON, which may hinder integration with modern security tools.

Frequently Asked Questions

Related Projects

Sigma Rules

Main Sigma Rule Repository

Stars10,448

Forks2,615

Last commit2 days ago

YARA

The pattern matching swiss knife

Stars9,612

Forks1,563

Last commit10 days ago

MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Stars6,289

Forks1,582

Last commit4 days ago

Viper

Binary analysis and management framework

Stars1,562

Forks345

Last commit2 years ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub