How to set up ThreatIngestor with MISP?

Configure the MISP operator in config.yml with your MISP instance URL and API key, then add sources like RSS feeds to extract and forward IOCs directly. Ensure the MISP plugin is installed and tested for proper integration.

ThreatIngestor vs MISP for threat intelligence collection?

ThreatIngestor is a collector tool that automates IOC extraction from various sources and feeds into MISP, which is a full threat intelligence platform for analysis and sharing. Use ThreatIngestor to gather data and MISP to manage and disseminate it.

Does ThreatIngestor support real-time IOC ingestion?

No, it uses polling at configurable intervals, defaulting to 15 minutes, so it's not real-time. For immediate ingestion, consider custom plugins or alternative event-driven tools.

How accurate is ThreatIngestor's image extraction for IOCs?

Accuracy depends on OCR quality via Tesseract; it works best with high-contrast, legible images but may struggle with blurred or complex visuals, requiring manual verification.

Best threat feeds to use with ThreatIngestor?

Start with RSS feeds from security blogs (e.g., examples in rss.example.yml) and Twitter lists like InQuest's IOC feed for real-time indicators, ensuring compliance with source terms.

How to create a custom plugin for ThreatIngestor?

Extend the base Source or Operator classes in Python, following the documentation examples; it requires coding skills and testing to ensure compatibility with the plugin architecture.

Open-Awesome

ThreatIngestor

GPL-2.0Pythonv1.4.0

An extendable Python tool to extract and aggregate Indicators of Compromise (IOCs) from various threat intelligence feeds.

Visit Website GitHub

913 stars135 forks0 contributors

What is ThreatIngestor?

ThreatIngestor is an open-source Python tool that automates the extraction and aggregation of Indicators of Compromise (IOCs) from various online threat intelligence feeds. It monitors sources like Twitter, RSS feeds, and web pages to collect malicious IPs, domains, and YARA signatures, then forwards them to security analysis platforms. The tool helps security teams efficiently gather and process threat data to improve their defensive posture.

Target Audience

Security analysts, threat intelligence teams, and SOC (Security Operations Center) personnel who need to automate the collection and aggregation of threat indicators from diverse online sources.

Value Proposition

Developers choose ThreatIngestor for its extensible plugin architecture, which allows seamless integration with existing workflows and tools like MISP and ThreatKB. Its ability to handle multiple input sources and output destinations, combined with continuous polling, makes it a flexible and powerful solution for threat intelligence automation.

Overview

Extract and aggregate threat intelligence.

Use Cases

Best For

Automating IOC collection from security blogs via RSS feeds
Monitoring Twitter for real-time threat intelligence and C2 indicators
Integrating extracted IOCs into MISP or ThreatKB for analysis
Extracting text and IOCs from images using OCR capabilities
Building custom threat intelligence pipelines with plugin extensions
Aggregating threat data from GitHub repositories and gists

Not Ideal For

Real-time threat detection requiring sub-minute IOC ingestion
Organizations using commercial SIEMs with built-in threat feed integrations (e.g., Splunk ES, IBM QRadar)
Teams without Python development resources to manage plugins and dependencies
Environments with strict data privacy laws restricting web scraping or social media monitoring

Pros & Cons

Pros

Extensible Plugin Architecture

Supports custom source and operator plugins, allowing integration with any workflow, as detailed in the developing documentation for flexibility.

Multiple Source Support

Monitors diverse sources like Twitter, RSS, GitHub, and web pages, with pre-configured examples such as InQuest's Twitter list for quick setup.

Flexible Output Operators

Forwards IOCs to systems like MISP, ThreatKB, SQL databases, and AWS SQS, enabling seamless data flow into existing analysis pipelines.

Image OCR Capability

Uses OpenCV and Tesseract to extract text from images, useful for IOCs in screenshots, though it requires Python 3.7+ and additional dependencies.

Cons

Complex Initial Setup

Requires Python 3.6+ with development headers, optional dependencies for plugins like image extraction, and YAML configuration, making deployment non-trivial.

Twitter API Barrier

Needs a Twitter developer account with an application process, adding overhead and potential delays for real-time monitoring setups.

Polling-Based Latency

Runs on configurable intervals (default 15 minutes), lacking real-time event-driven ingestion, which may miss fast-evolving threats.

Frequently Asked Questions

Related Projects

Sigma Rules

Main Sigma Rule Repository

Stars10,381

Forks2,602

Last commit3 hours ago

YARA

The pattern matching swiss knife

Stars9,589

Forks1,559

Last commit2 months ago

Viper

Binary analysis and management framework

Stars1,561

Forks345

Last commit2 years ago

GRASSMARLIN

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber

Stars1,049

Forks317

Last commit6 years ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub