ThreatIngestor is an extendable tool that extracts and aggregates Indicators of Compromise (IOCs) from diverse threat intelligence feeds for streamlined analysis.
Extract and aggregate threat intelligence.
Threat analysts and security teams use ThreatIngestor to automate the collection and normalization of threat intelligence from multiple sources such as Twitter, RSS feeds, and Git repositories. It enables continuous monitoring and ingestion of IOCs like malicious IPs, domains, and YARA signatures, facilitating efficient threat hunting and integration with existing security workflows.
To enable image extraction features, Python 3.7 or higher is required due to dependency constraints. Users should create and customize a config.yml file based on their sources and operators, referring to the provided example config. Continuous running mode is default, so consider resource usage and adjust polling intervals as needed. Integration with message queues and external platforms allows seamless workflow automation.
Ensure Python 3.6 or higher with development headers is installed
Install ThreatIngestor from PyPI using: pip install threatingestor
Optionally install all plugins dependencies with: pip install threatingestor[all]
For image extraction functionality, install additional dependencies: pip install opencv-python pytesseract numpythreatingestor config.yml
Runs ThreatIngestor with the specified configuration file, polling configured sources every 15 minutes by default