ThreatIngestor – Extract And Aggregate Threat Intelligence

An extendable instrument to extract and combination IOCs from risk feeds.
Integrates out-of-the-box with ThreatKB and MISP, and will are compatible seamlessly into any current worflow with SQS, Beanstalk, and customized plugins.

ThreatIngestor may also be configured to look at Twitter, RSS feeds, or different resources, extract significant data equivalent to malicious IPs/domain names and YARA signatures, and ship that data to some other machine for research.

fast walkthrough, learn extra ThreatIngestor walkthroughs at the InQuest weblog, and take a look at labs.inquest.web/iocdb, an IOC aggregation and querying instrument powered by way of ThreatIngestor.

ThreatIngestor calls for Python 3.6+, with building headers.
Install ThreatIngestor from PyPI:

pip set up threatingestor

Install non-compulsory dependencies for the usage of some plugins, as wanted:

pip set up threatingestor[all]

View the complete set up directions for more info.

Create a brand new config.yml document, and configure every supply and operator module you need to make use of. (See config.instance.yml for structure.) Then run the script:

threatingestor config.yml

By default, it’s going to run endlessly, polling every configured supply each and every 15 mins.
View the complete ThreatIngestor documentation for more info.

ThreatIngestor makes use of a plugin structure with “supply” (enter) and “operator” (output) plugins. The lately supported integrations are:


  • Beanstalk paintings queues
  • Git repositories
  • GitHub repository seek
  • RSS feeds
  • Amazon SQS queues
  • Twitter
  • Generic internet pages


  • Beanstalk paintings queues
  • CSV information
  • MISP
  • MySQL desk
  • SQLite database
  • Amazon SQS queues
  • ThreatKB
  • Twitter

View the complete ThreatIngestor documentation for more info on integrated plugins, and methods to create your individual.

Threat Intel Sources
Looking for some risk intel resources to get began? InQuest has a Twitter List with a number of accounts that put up C2 domain names and IPs: Note that you’re going to wish to observe for a Twitter developer account to make use of the ThreatIngestor Twitter Source. Take a take a look at config.instance.yml to peer methods to set this record up as a supply.
For sooner setup, RSS feeds is usually a nice supply of intelligence. Check out this case RSS config document for a couple of pre-configured safety blogs.

Download ThreatIngestor