GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → InQuest → Threatingestor

InQuest / Threatingestor

Licence: gpl-2.0
Extract and aggregate threat intelligence.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

security-toolsosintiocdfirthreat-huntingthreat-intelligencemalware-researchyarathreatintel

Projects that are alternatives of or similar to Threatingestor

Python Iocextract
Defanged Indicator of Compromise (IOC) Extractor.
Stars: ✭ 300 (-31.66%)
Mutual labels:  osint, dfir, threat-intelligence, malware-research, yara, threatintel, ioc
Intelowl
Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
Stars: ✭ 2,114 (+381.55%)
Mutual labels:  osint, security-tools, threat-hunting, threat-intelligence, threatintel, ioc
YAFRA
YAFRA is a semi-automated framework for analyzing and representing reports about IT Security incidents.
Stars: ✭ 22 (-94.99%)
Mutual labels:  ioc, threat-hunting, malware-research, threatintel, threat-intelligence
Signature Base
Signature base for my scanner tools
Stars: ✭ 1,212 (+176.08%)
Mutual labels:  dfir, threat-hunting, threat-intelligence, yara, ioc
Malware Feed
Bringing you the best of the worst files on the Internet.
Stars: ✭ 69 (-84.28%)
Mutual labels:  threat-hunting, threat-intelligence, malware-research, threatintel
Threatpinchlookup
Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension
Stars: ✭ 257 (-41.46%)
Mutual labels:  osint, dfir, threat-hunting, threatintel
Awesome Yara
A curated list of awesome YARA rules, tools, and people.
Stars: ✭ 1,394 (+217.54%)
Mutual labels:  threat-hunting, malware-research, yara, ioc
OSINT-Brazuca
Repositório criado com intuito de reunir informações, fontes(websites/portais) e tricks de OSINT dentro do contexto Brasil.
Stars: ✭ 508 (+15.72%)
Mutual labels:  osint, threat-hunting, threatintel, threat-intelligence
Patrowldocs
PatrOwl - Open Source, Free and Scalable Security Operations Orchestration Platform
Stars: ✭ 105 (-76.08%)
Mutual labels:  security-tools, threat-hunting, threat-intelligence, ioc
Stalkphish
StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.
Stars: ✭ 256 (-41.69%)
Mutual labels:  osint, threat-hunting, threat-intelligence, threatintel
Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Stars: ✭ 6,882 (+1467.65%)
Mutual labels:  osint, threatintel, security-tools, threat-intelligence
Opensquat
Detection of phishing domains and domain squatting. Supports permutations such as homograph attack, typosquatting and bitsquatting.
Stars: ✭ 149 (-66.06%)
Mutual labels:  osint, security-tools, threat-hunting, threat-intelligence
Patrowlengines
PatrOwl - Open Source, Free and Scalable Security Operations Orchestration Platform
Stars: ✭ 162 (-63.1%)
Mutual labels:  security-tools, threat-hunting, threat-intelligence, ioc
censys-recon-ng
recon-ng modules for Censys
Stars: ✭ 29 (-93.39%)
Mutual labels:  osint, threat-hunting, threatintel, threat-intelligence
Patrowlmanager
PatrOwl - Open Source, Smart and Scalable Security Operations Orchestration Platform
Stars: ✭ 363 (-17.31%)
Mutual labels:  security-tools, threat-hunting, threat-intelligence, ioc
Mimir
OSINT Threat Intel Interface - CLI for HoneyDB
Stars: ✭ 104 (-76.31%)
Mutual labels:  ioc, osint, threatintel
sqhunter
A simple threat hunting tool based on osquery, Salt Open and Cymon API
Stars: ✭ 64 (-85.42%)
Mutual labels:  threat-hunting, threatintel, threat-intelligence
Dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
Stars: ✭ 3,124 (+611.62%)
Mutual labels:  osint, threat-hunting, threat-intelligence
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (-48.97%)
Mutual labels:  dfir, threat-hunting, threat-intelligence
Scrummage
The Ultimate OSINT and Threat Hunting Framework
Stars: ✭ 355 (-19.13%)
Mutual labels:  osint, threat-hunting, threat-intelligence
View All Similar Projects ➔

ThreatIngestor

.. image:: https://inquest.net/images/inquest-badge.svg :target: https://inquest.net/ :alt: Developed by InQuest .. image:: https://travis-ci.org/InQuest/ThreatIngestor.svg?branch=master :target: https://travis-ci.org/InQuest/ThreatIngestor :alt: Build Status .. image:: https://readthedocs.org/projects/threatingestor/badge/?version=latest :target: http://inquest.readthedocs.io/projects/threatingestor/en/latest/?badge=latest :alt: Documentation Status .. image:: https://api.codacy.com/project/badge/Grade/a989bb12e9604d5a9577ce71848e7a2a :target: https://app.codacy.com/app/InQuest/ThreatIngestor :alt: Code Health .. image:: https://api.codacy.com/project/badge/Coverage/a989bb12e9604d5a9577ce71848e7a2a :target: https://app.codacy.com/app/InQuest/ThreatIngestor :alt: Test Coverage .. image:: http://img.shields.io/pypi/v/ThreatIngestor.svg :target: https://pypi.python.org/pypi/ThreatIngestor :alt: PyPi Version

An extendable tool to extract and aggregate IOCs_ from threat feeds.

Integrates out-of-the-box with ThreatKB_ and MISP_, and can fit seamlessly into any existing worflow with SQS_, Beanstalk_, and custom plugins_.

Currently used by InQuest Labs IOC-DB: https://labs.inquest.net/iocdb.

Overview

ThreatIngestor can be configured to watch Twitter, RSS feeds, or other sources, extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis.

.. image:: https://inquest.readthedocs.io/projects/threatingestor/en/latest/_images/mermaid-multiple-operators.png :target: https://inquest.readthedocs.io/projects/threatingestor/en/latest/workflows.html :alt: ThreatIngestor flowchart with several sources feeding into multiple operators.

Try it out now with this quick walkthrough, read more ThreatIngestor walkthroughs on the InQuest blog, and check out labs.inquest.net/iocdb_, an IOC aggregation and querying tool powered by ThreatIngestor.

Installation

ThreatIngestor requires Python 3.6+, with development headers.

Install ThreatIngestor from PyPI::

pip install threatingestor

Install optional dependencies for using some plugins, as needed::

pip install threatingestor[all]

View the full installation instructions_ for more information.

Usage

Create a new config.yml file, and configure each source and operator module you want to use. (See config.example.yml for layout.) Then run the script::

threatingestor config.yml

By default, it will run forever, polling each configured source every 15 minutes.

View the full ThreatIngestor documentation_ for more information.

Plugins

ThreatIngestor uses a plugin architecture with "source" (input) and "operator" (output) plugins. The currently supported integrations are:

Sources


* `Beanstalk work queues <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/beanstalk.html>`__
* `Git repositories <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/git.html>`__
* `GitHub repository search <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/github.html>`__
* `RSS feeds <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/rss.html>`__
* `Amazon SQS queues <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/sqs.html>`__
* `Twitter <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/twitter.html>`__
* `Generic web pages <https://inquest.readthedocs.io/projects/threatingestor/en/latest/sources/web.html>`__

Operators
  • Beanstalk work queues <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/beanstalk.html>__
  • CSV files <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/csv.html>__
  • MISP <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/misp.html>__
  • MySQL table <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/mysql.html>__
  • SQLite database <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/sqlite.html>__
  • Amazon SQS queues <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/sqs.html>__
  • ThreatKB <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/threatkb.html>__
  • Twitter <https://inquest.readthedocs.io/projects/threatingestor/en/latest/operators/twitter.html>__

View the full ThreatIngestor documentation_ for more information on included plugins, and how to create your own.

Threat Intel Sources

Looking for some threat intel sources to get started? InQuest has a Twitter List with several accounts that post C2 domains and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you will need to apply for a Twitter developer account to use the ThreatIngestor Twitter Source. Take a look at config.example.yml to see how to set this list up as a source.

For quicker setup, RSS feeds can be a great source of intelligence. Check out this example RSS config file_ for a few pre-configured security blogs.

Support

If you need help getting set up, or run into any issues, feel free to open an Issue_. You can also reach out to @InQuest_ on Twitter or read more about us on the web at https://www.inquest.net.

We'd love to hear any feedback you have on ThreatIngestor, its documentation, or how you're putting it to work for you!

Contributing

Issues and pull requests are welcomed. Please keep Python code PEP8 compliant. By submitting a pull request you agree to release your submissions under the terms of the LICENSE_.

.. _ThreatKB: https://github.com/InQuest/ThreatKB .. _LICENSE: https://github.com/InQuest/threat-ingestors/blob/master/LICENSE .. _full ThreatIngestor Documentation: https://inquest.readthedocs.io/projects/threatingestor/ .. _SQS: https://aws.amazon.com/sqs/ .. _Beanstalk: https://beanstalkd.github.io/ .. _MISP: https://www.misp-project.org/ .. _custom plugins: https://inquest.readthedocs.io/projects/threatingestor/en/latest/developing.html .. _IOCs: https://en.wikipedia.org/wiki/Indicator_of_compromise .. _full installation instructions: https://inquest.readthedocs.io/projects/threatingestor/en/latest/installation.html .. _Issue: https://github.com/InQuest/ThreatIngestor/issues .. [email protected]: https://twitter.com/InQuest .. _quick walkthrough: https://inquest.readthedocs.io/projects/threatingestor/en/latest/welcome.html#try-it-out .. _ThreatIngestor walkthroughs: https://inquest.net/taxonomy/term/42 .. _RSS config file: https://github.com/InQuest/ThreatIngestor/blob/master/rss.example.yml .. _labs.inquest.net/iocdb: https://labs.inquest.net/iocdb

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].