ThreatIngestor is an extendable tool to extract and aggregate IOCs from threat feeds. Integrates out-of-the-box with ThreatKB and MISP, and can fit seamlessly into any existing worflow with SQS, Beanstalk, and custom plugins.
Overview
It can be configured to watch Twitter, RSS feeds, or other sources, extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis.
Also Read – Pockint : A Portable OSINT Swiss Army Knife for DFIR/OSINT Professionals
Installation
It requires Python 3.6+, with development headers.
Install ThreatIngestor from PyPI:
pip install threatingestor
Install optional dependencies for using some plugins, as needed:
pip install threatingestor[all]
View the full installation instructions for more information.
Usage
Create a new config.yml
file, and configure each source and operator module you want to use. (See config.example.yml
for layout.) Then run the script:
threatingestor config.yml
By default, it will run forever, polling each configured source every 15 minutes.
View the full ThreatIngestor documentation for more information.
Plugins
ThreatIngestor uses a plugin architecture with “source” (input) and “operator” (output) plugins. The currently supported integrations are:
Sources
Operators
View the full ThreatIngestor documentation for more information on included plugins, and how to create your own.
Threat Intel Sources
Looking for some threat intel sources to get started? InQuest has a
Twitter List with several accounts that post C2 domains and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you will need to apply for a Twitter developer account to use the ThreatIngestor Twitter Source. Take a look at config.example.yml
to see how to set this list up as a source.
For quicker setup, RSS feeds can be a great source of intelligence. Check out this example RSS config file for a few pre-configured security blogs.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…