{"id":13642383,"url":"https://github.com/InQuest/ThreatIngestor","last_synced_at":"2025-04-20T16:32:07.158Z","repository":{"id":38899370,"uuid":"102033255","full_name":"InQuest/ThreatIngestor","owner":"InQuest","description":"Extract and aggregate threat intelligence.","archived":false,"fork":false,"pushed_at":"2024-01-31T18:36:13.000Z","size":1728,"stargazers_count":790,"open_issues_count":13,"forks_count":132,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-05-23T04:26:03.586Z","etag":null,"topics":["dfir","fraud-detection","indicators-of-compromise","intelligence-gathering","ioc","malware-research","misp","osint","security-tools","soar","threat-analysis","threat-feeds","threat-hunting","threat-intelligence","threat-intelligence-platform","threat-sharing","threatintel","yara"],"latest_commit_sha":null,"homepage":"https://inquest.readthedocs.io/projects/threatingestor/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/InQuest.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-31T18:41:55.000Z","updated_at":"2024-07-11T13:15:46.343Z","dependencies_parsed_at":"2023-10-04T05:45:45.255Z","dependency_job_id":"b41e602f-0e60-452c-8622-6941e848902c","html_url":"https://github.com/InQuest/ThreatIngestor","commit_stats":{"total_commits":533,"total_committers":19,"mean_commits":28.05263157894737,"dds":"0.32457786116322707","last_synced_commit":"2ccc1a53e704fd5d213dd8307ff9b907088f8b34"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InQuest%2FThreatIngestor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InQuest%2FThreatIngestor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InQuest%2FThreatIngestor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InQuest%2FThreatIngestor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/InQuest","download_url":"https://codeload.github.com/InQuest/ThreatIngestor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223582212,"owners_count":17168659,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","fraud-detection","indicators-of-compromise","intelligence-gathering","ioc","malware-research","misp","osint","security-tools","soar","threat-analysis","threat-feeds","threat-hunting","threat-intelligence","threat-intelligence-platform","threat-sharing","threatintel","yara"],"created_at":"2024-08-02T01:01:30.730Z","updated_at":"2024-11-09T13:31:37.629Z","avatar_url":"https://github.com/InQuest.png","language":"Python","funding_links":[],"categories":["Tools","Python","威胁情报","Threat intelligence"],"sub_categories":["IOC Tools","威胁狩猎","Threat hunting"],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch1\u003eThreatIngestor\u003c/h1\u003e\n\u003c/div\u003e\n\n[![Build Status](https://github.com/InQuest/ThreatIngestor/actions/workflows/workflow.yml/badge.svg)](https://github.com/InQuest/ThreatIngestor/actions/workflows/workflow.yml)\n![Documentation Status](https://readthedocs.org/projects/threatingestor/badge/?version=latest)\n![PyPI Version](http://img.shields.io/pypi/v/ThreatIngestor.svg)\n\nAn extendable tool to extract and aggregate [IOCs](https://en.wikipedia.org/wiki/Indicator_of_compromise) from threat feeds.\n\nIntegrates out-of-the-box with [ThreatKB](https://github.com/InQuest/ThreatKB) and [MISP](https://www.misp-project.org/), and can fit seamlessly into any existing workflow with [SQS](https://aws.amazon.com/sqs/), [Beanstalk](https://beanstalkd.github.io/), and [custom plugins](https://inquest.readthedocs.io/projects/threatingestor/en/latest/developing.html).\n\nCurrently used by InQuest Labs IOC-DB: https://labs.inquest.net/iocdb\n\n## Overview\n\nThreatIngestor can be configured to watch Twitter, RSS feeds, sitemap (XML) feeds, or other sources, and extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis.\n\n![ThreatIngestor flowchart with several sources feeding into multiple operators](https://inquest.readthedocs.io/projects/threatingestor/en/latest/_images/mermaid-multiple-operators.png)\n\nTry it out now with this [quick walkthrough](https://inquest.readthedocs.io/projects/threatingestor/en/latest/welcome.html#try-it-out), read more [ThreatIngestor walkthroughs](https://inquest.net/taxonomy/term/42) on the InQuest blog, and check out [labs.inquest.net/iocdb](https://labs.inquest.net/iocdb), an IOC aggregation and querying tool powered by ThreatIngestor.\n\n## Installation\n\nThreatIngestor requires Python 3.6+, with development headers.\n\nInstall ThreatIngestor from PyPI:\n\n```bash\npip install threatingestor\n```\n\nInstall optional dependencies for using some plugins, as needed:\n\n```bash\npip install threatingestor[all]\n```\n\nView the [full installation instructions](https://inquest.readthedocs.io/projects/threatingestor/en/latest/installation.html) for more information.\n\n## Usage\n\nCreate a new ``config.yml`` file, and configure each source and operator module you want to use. (See ``config.example.yml`` for layout.) Then run the script:\n\n```bash\nthreatingestor config.yml\n```\n\nBy default, it will run forever, polling each configured source every 15 minutes.\n\nIf you'd like to run the image extraction source, or include the image extraction functionality for other sources, you will need to be running Python 3.7 \u003e= due to the dependencies:\n\n```bash\npip install opencv-python pytesseract numpy\n```\n\nView the [full ThreatIngestor documentation](https://inquest.readthedocs.io/projects/threatingestor/) for more information.\n\n## Plugins\n\nThreatIngestor uses a plugin architecture with \"source\" (input) and \"operator\" (output) plugins. The currently supported integrations are:\n\n### Sources\n\n- [Git repositories](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/git.html)\n- [GitHub repository search](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/github.html)\n- [Gists by username](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/github_gist.html)\n- [RSS feeds](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/rss.html)\n- [Sitemap feeds](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/sitemap.html)\n- [Image extraction](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/image.html)\n- [Amazon SQS queues](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/sqs.html)\n- [Twitter](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/twitter.html)\n- [Generic web pages](https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/web.html)\n\n### Operators\n\n- [CSV files](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/csv.html)\n- [MISP](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/misp.html)\n- [MySQL table](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/mysql.html)\n- [SQLite database](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/sqlite.html)\n- [Amazon SQS queues](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/sqs.html)\n- [ThreatKB](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/threatkb.html)\n- [Twitter](https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/twitter.html)\n\nView the [full ThreatIngestor documentation](https://inquest.readthedocs.io/projects/threatingestor/) for more information on included plugins, and how to create your own.\n\n## Threat Intel Sources\n\nLooking for some threat intel sources to get started? InQuest has a Twitter List with several accounts that post C2 domains and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you will need to apply for a Twitter developer account to use the ThreatIngestor Twitter Source. Take a look at ``config.example.yml`` to see how to set this list up as a source.\n\nFor quicker setup, RSS feeds can be a great source of intelligence. Check out this example [RSS config file](https://github.com/InQuest/ThreatIngestor/blob/master/rss.example.yml) for a few pre-configured security blogs.\n\n## Support\n\nIf you need help getting set up, or run into any issues, feel free to open an [issue](https://github.com/InQuest/ThreatIngestor/issues). You can also reach out to [@InQuest](https://twitter.com/InQuest) on Twitter or read more about us on the web at https://www.inquest.net.\n\nWe'd love to hear any feedback you have on ThreatIngestor, its documentation, or how you're putting it to work for you!\n\n## Contributing\n\nIssues and pull requests are welcomed. Please keep Python code PEP8 compliant. By submitting a pull request you agree to release your submissions under the terms of the [LICENSE](https://github.com/InQuest/ThreatIngestor/blob/master/LICENSE).\n\n## Docker\n\n\n### Production\n\nA `Dockerfile` is available for running ThreatIngestor within a Docker container.\n\nFirst, you'll need to build the container:\n\n```bash\ndocker build . -t threatingestor\n```\n\nAfter that, you can mount the container by using this command:\n\n```bash\ndocker run -it --mount type=bind,source=/,target=/dock threatingestor /bin/bash\n```\n\nAfter you've mounted the container and you're inside the `/bin/bash` shell, you can run ThreatIngestor like normal:\n\n```bash\nthreatingestor config.yml\n```\n\n### Development\n\nThere is also a Dockerfile.dev for building a development version of ThreatIngestor. All you need is an available .whl file, which can be generated with the following command:\n\n```bash\npython3 -m build \n```\n\nAfter you've built the project, you can build the container:\n\n```bash\ndocker build . -t threatingestor -f Dockerfile.dev\n```\n\nNOTE: If you run into any issues while building the development environment or running ThreatIngestor within the container, you may need to comment out the following lines in `Dockerfile.dev` to work properly:\n\n```\nFROM ubuntu:18.04\n...\n# RUN apt-get install tesseract-ocr -y\n...\n# RUN pip3 install opencv-python pytesseract numpy\n...\n```\n\n### Extra Scripts\n\nSome scripts are now provided to help with your local configuration of ThreatIngestor.\n\nA README.md with additional information is available [here](https://github.com/InQuest/ThreatIngestor/tree/master/scripts/README.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FInQuest%2FThreatIngestor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FInQuest%2FThreatIngestor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FInQuest%2FThreatIngestor/lists"}