ThreatIngestor – Extract and Aggregate Threat Intelligence

ThreatIngestor is a flexible, configuration-driven, extensible framework for consuming threat intelligence. It can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and send that information to other systems for analysis.

Use ThreatIngestor alongside ThreatKB or MISP to automate importing public C2s and YARA signatures, or integrate it into your existing workflow with custom operator plugins.

ThreatIngestor - Extract and Aggregate Threat Intelligence
ThreatIngestor – Extract and Aggregate Threat Intelligence

ThreatIngestor uses a plugin architecture with “source” (input) and “operator” (output) plugins. The currently supported integrations are:

  • Beanstalk work queues
  • Git repositories – On any subsequent runs, it will run git pull, check for new and updated files matching patterns, and extract YARA rules from those files.
  • GitHub repository search – GitHub’s repository search API to find new interesting repos, and create a Task artifact for each.
  • RSS feeds – RSS source pulls from standard RSS and Atom feeds, and extracts artifacts from within the feed content.
  • Amazon SQS queues – SQS source can be used to read content from Amazon SQS queues
  • Twitter – Twitter source can use several Twitter API endpoints out of the box: @mentions, Twitter lists, user timeline, and standard search.
  • Generic web pages – Web source will periodically check a URL for changes, and extract any artifacts it finds. This is useful for ingesting threat intel feeds that don’t already have a ThreatIngestor source plugin, without having to write your own custom plugin. Use it for plaintext IP blacklists, C2 URL CSVs, and more.
  • Operator and this will write extracted artifacts to Beanstalk work queues , CSV files ,MISP ,MySQL table ,SQLite database ,Amazon SQS queues ,ThreatKB, Twitter.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments