Amazon SQS¶
The SQS operator allows ThreatIngestor to integrate out-of-the-box with any system that supports reading from SQS queues. This operator is extremely flexible, as it accepts arbitrary config options and passes them through to the queue.
Configuration Options¶
module(required):sqsaws_access_key_id(required): Your AWS access key ID.aws_secret_access_key(required): Your AWS secret access key.aws_region(required): Your AWS region name.queue_name(required): The name of the SQS queue you want to use.
Any other options defined in the SQS operator section will be passed in to your
queue as part of a JSON object, after string interpolation to fill in artifact
content. For example, {domain} will be replaced with the C2 domain being
exported.
Example Configuration¶
The following example assumes AWS credentials have already been
configured in the credentials section of the config, like this:
credentials:
- name: aws-auth
aws_access_key_id: MYKEY
aws_secret_access_key: MYSECRET
aws_region: MYREGION
Inside the operators section of your configuration file:
- name: myqueue
module: sqs
credentials: aws-auth
queue_name: my-queue
domain: {domain}
url: {url}
source_type: url
download_path: /data/ingestor
In this example, the resulting JSON object for a URL artifact of
http://example.com/ sent to the SQS queue would be:
{
"domain": "example.com",
"url": "http://example.com/",
"source_type": "url",
"download_path": "/data/ingestor"
}