An extendable instrument to extract and combination
Integrates out-of-the-box with and , and will are compatible seamlessly into any current worflow with , , and .
ThreatIngestor may also be configured to look at Twitter, RSS feeds, or different resources, extract significant data equivalent to malicious IPs/domain names and YARA signatures, and ship that data to some other machine for research.
, learn extra at the InQuest weblog, and take a look at , an IOC aggregation and querying instrument powered by way of ThreatIngestor.
ThreatIngestor calls for Python 3.6+, with building headers.
Install ThreatIngestor from PyPI:
pip set up threatingestor
Install non-compulsory dependencies for the usage of some plugins, as wanted:
pip set up threatingestor[all]
View thefor more info.
Create a brand new
config.yml document, and configure every supply and operator module you need to make use of. (See
config.instance.yml for structure.) Then run the script:
By default, it’s going to run endlessly, polling every configured supply each and every 15 mins.
View the for more info.
ThreatIngestor makes use of a structure with “supply” (enter) and “operator” (output) plugins. The lately supported integrations are:
View thefor more info on integrated plugins, and methods to create your individual.
Threat Intel Sources
Looking for some risk intel resources to get began? InQuest has a List with a number of accounts that put up C2 domain names and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you’re going to wish to observe for a Twitter developer account to make use of the ThreatIngestor Twitter Source. Take a take a look at
config.instance.yml to peer methods to set this record up as a supply.
For sooner setup, RSS feeds is usually a nice supply of intelligence. Check out this case for a couple of pre-configured safety blogs.