Extract and aggregate IOCs from threat feeds.
An extendable tool to extract and aggregate IOCs from threat feeds.
Currently used by InQuest Labs IOC-DB: https://labs.inquest.net/iocdb.
ThreatIngestor can be configured to watch Twitter, RSS feeds, or other sources, extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis.
Try it out now with this quick walkthrough, read more ThreatIngestor walkthroughs on the InQuest blog, and check out labs.inquest.net/iocdb, an IOC aggregation and querying tool powered by ThreatIngestor.
ThreatIngestor requires Python 3.6+, with development headers.
Install ThreatIngestor from PyPI:
pip install threatingestor
Install optional dependencies for using some plugins, as needed:
pip install threatingestor[all]
View the full installation instructions for more information.
Create a new config.yml file, and configure each source and operator module you want to use. (See config.example.yml for layout.) Then run the script:
By default, it will run forever, polling each configured source every 15 minutes.
View the full ThreatIngestor documentation for more information.
ThreatIngestor uses a plugin architecture with “source” (input) and “operator” (output) plugins. The currently supported integrations are:
View the full ThreatIngestor documentation for more information on included plugins, and how to create your own.
Threat Intel Sources
Looking for some threat intel sources to get started? InQuest has a Twitter List with several accounts that post C2 domains and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you will need to apply for a Twitter developer account to use the ThreatIngestor Twitter Source. Take a look at config.example.yml to see how to set this list up as a source.
For quicker setup, RSS feeds can be a great source of intelligence. Check out this example RSS config file for a few pre-configured security blogs.
We’d love to hear any feedback you have on ThreatIngestor, its documentation, or how you’re putting it to work for you!
Issues and pull requests are welcomed. Please keep Python code PEP8 compliant. By submitting a pull request you agree to release your submissions under the terms of the LICENSE.
A Dockerfile is now available for running ThreatIngestor within a Docker container.
First, you’ll need to build the container:
docker build . -t threat
After that, you can mount the container for use using this command:
docker run -it --mount type=bind,source=/,target=/dock threat /bin/bash
After you’ve mounted the container, and you’re inside of the /bin/bash shell, you can run the threatingestor like normal:
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for threatingestor-1.0.2-py3-none-any.whl