ThreatIngestor : Extract & Aggregate Threat Intelligence

ThreatIngestor is an extendable tool to extract and aggregate IOCs from threat feeds. Integrates out-of-the-box with ThreatKB and MISP, and can fit seamlessly into any existing worflow with SQS, Beanstalk, and custom plugins.

Overview

It can be configured to watch Twitter, RSS feeds, or other sources, extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis.

Also Read – Pockint : A Portable OSINT Swiss Army Knife for DFIR/OSINT Professionals

Installation

It requires Python 3.6+, with development headers.

Install ThreatIngestor from PyPI:

pip install threatingestor

Install optional dependencies for using some plugins, as needed:

pip install threatingestor[all]

View the full installation instructions for more information.

Usage

Create a new config.yml file, and configure each source and operator module you want to use. (See config.example.yml for layout.) Then run the script:

threatingestor config.yml

By default, it will run forever, polling each configured source every 15 minutes.

View the full ThreatIngestor documentation for more information.

Plugins

ThreatIngestor uses a plugin architecture with “source” (input) and “operator” (output) plugins. The currently supported integrations are:

Sources

Operators

View the full ThreatIngestor documentation for more information on included plugins, and how to create your own.

Threat Intel Sources

Looking for some threat intel sources to get started? InQuest has a Twitter List with several accounts that post C2 domains and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you will need to apply for a Twitter developer account to use the ThreatIngestor Twitter Source. Take a look at config.example.yml to see how to set this list up as a source.

For quicker setup, RSS feeds can be a great source of intelligence. Check out this example RSS config file for a few pre-configured security blogs.

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

12 hours ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

12 hours ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

12 hours ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

13 hours ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

13 hours ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

13 hours ago