ThreatIngestor is a flexible, configuration-driven, extensible framework for consuming threat intelligence. It can monitor Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, then send that information to other systems for analysis. Use ThreatIngestor alongside ThreatKB or MISP to automate importing public C2s and YARA signatures, or integrate it into your existing workflow with custom operator plugins.
You can download the latest release (v1.0.2) or read further documentation at:
In recent history we have addressed multiple bug reports, added a new ingestion source for Github.com Gists (Github repos were already supported), and implemented some major feature requests.
XML Sitemap Based Ingestion
This new ingestion method feeds on a website's XML sitemap. This allows you to scan the website's sitemap and extract blogs that are not available through the typical RSS feed. Which, unfortunately, is a growing trend in our industry. Here’s a sampling of vendors whose blogs have no RSS feed:
- Center for Internet Security (CIS)
- Palo Alto Networks
- Recorded Future
- Red Canary
OCR Sourced Indicator Extraction
Our second new ingestion method allows you to extract IOCs from images using computer vision and the Tesseract OCR engine. This feature currently allows for both local and remote extraction, meaning you can collect data from an image on your host system or link to an external image. In upcoming releases we will have support for passing images discovered in blogs, down the OCR IOX extraction pipeline as well.
Users of InQuest Labs IOCDB automatically benefit from these enhancements as ThreatIngestor is a core component of our system!