An extendable tool to extract and aggregate IOCs from threat feeds.
Designed for use with InQuest ThreatKB, but can be used without it.
ThreatIngestor can be configured to watch Twitter, RSS feeds, or other sources, extract meaningful information such as C2 IPs/domains and YARA signatures, and send that information to another system for analysis.
ThreatIngestor requires Python 3.6+.
Install ThreatIngestor and its dependencies:
pip3 install -r requirements.txt python3 setup.py install
Create a new
config.ini file, and configure each source and operator module
you want to use. (See
config.ini.example for layout.) Then run the script:
By default, it will run forever, polling each configured source every 15 minutes.
For full documentation, see the ThreatIngestor ReadTheDocs site.
Issues and pull requests are welcomed. Please keep Python code PEP8 compliant. By submitting a pull request you agree to release your submissions under the terms of the LICENSE.