A Python-based parser for STIX 1.2 XML threat intelligence feeds. It extracts MD5 hashes and domain indicators from one or more STIX packages and outputs them into a clean CSV table.
- ✅ Supports multiple STIX packages in one file
- ✅ Extracts MD5 hashes and domains
- ✅ Exports results to CSV
- ✅ Command-line file input (
-f) and custom output (-o) - ✅ Lightweight & fast
git clone https://github.com/suuhm/STIX2Tab.git
cd STIX2Tabpip install pandas pyfigletpython3 stix2tab.py -f stix_log.xmlrm -rf /tmp/s2t; mkfifo /tmp/s2t
docker run --rm eclecticiq/cabby taxii-poll \
--path https://otx.alienvault.com/taxii/poll \
--collection user_alienvault --begin 2025-09-08T15:12:56 \
--username <UR_API_KEY> --password foo > /tmp/s2t & echo; python stix2tab.py -f /tmp/s2tThis will parse stix_log.xml and export results into:
stix_indicators.csv
python3 stix2tab.py -f stix_log.xml -o my_output.csvTerminal Preview:
Indicator_Title MD5 Domain
04b5e068e6f0079c2c205a42df8a3a84 ... 04b5e068e6f0079c2c205a42df8a3a84 None
aria-hidden.com from OTX None aria-hidden.com
caret-right.com from OTX None caret-right.com
CSV Output Example (stix_indicators.csv):
| Indicator_Title | MD5 | Domain |
|---|---|---|
| 04b5e068e6f0079c2c205a42df8a3a84 from OTX | 04b5e068e6f0079c2c205a42df8a3a84 | NULL |
| aria-hidden.com from OTX | NULL | aria-hidden.com |
| caret-right.com from OTX | NULL | caret-right.com |
| Flag | Description | Default |
|---|---|---|
-f / --file |
Input STIX XML file | Required |
-o / --output |
Output CSV file | stix_indicators.csv |