ThreatIngestor

ThreatIngestor is a flexible, configuration-driven, extensible framework for consuming threat intelligence.

It can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and send that information to other systems for analysis.

Use ThreatIngestor alongside ThreatKB or MISP to automate importing public C2s and YARA signatures, or integrate it into your existing workflow with custom operator plugins.

User Guide

• Welcome to ThreatIngestor
  • What is ThreatIngestor?
  • Try it out
  • Support
• Installation
• Basic Usage
  • Minimal Case
  • Standard Case
• Example Workflows
  • Multiple Operators
  • Full-Circle
  • Queue Workers
  • Automate as Much as Possible

• Source Plugins
• Operator Plugins

• Artifacts
  • Domains
  • Hashes
  • IP Addresses
  • Tasks
  • URLs
  • YARA Signatures
• Extras
  • Quick Webapp
  • Queue Workers

• Observability
• Developing
• API Documentation

• Index
• Module Index
• Glossary