![]() If we name the db file artifacts.db, it will allow us to use the web app extra feature of ThreatIngestor to view what has been scraped: We will use the sqlite plugin to store our ioc’s. It is clear we will need the Twitter operator to post to Twitter - however, we also want to analyze the artifacts we’ve retrieved some other way. RSS Feed sources look something like this: The field feed_type should be left to messy unless you are working with a list of known clean urls and ip addresses, in which case you can set it to clean. You can add as many RSS sources as you would like. For this bot, we will use RSS Feeds only. In this case, we will use the twitter-auth for the Twitter operator plugin, however it can be used for the Twitter source plugin as well. These credentials are now stored in data and can be used by any sources or operators that are needed. This most likely doesn’t need changed, unless you’d like to keep state files in a separate path. state_path refers to the name and path of the cache. It will run in daemon mode, checking for new content every 15 minutes. These are the general settings for ThreatIngestor will use when run. Now we’re ready to make the config.įirst, create a general entry for your config.yml: #CREATING A TWITTER RSS BOT INSTALL#`pip install ‘threatingestor’`Īnd that’s it! ThreatIngestor is installed to run with Twitter, SQLite, and RSS. Note: If you are using zsh as your terminal, you must surround the package with quotes Then install ThreatIngestor and the dependencies we need from pip: `sudo apt-get install python3-dev python3-pip` The flow of our intended ThreatIngestor setup With ThreatIngestor, this is as simple as using a few plugins. #CREATING A TWITTER RSS BOT HOW TO#In this blog post, we will cover how to use ThreatIngestor to gather new content from RSS Feeds for IOC’s, then post them to Twitter. ![]() ThreatIngestor automates as much of that work as possible, so you can focus on more important things.Ī screenshot of Twitter user feed, showing two tweets with defanged C2 domains and IP addresses.īecause it is completely modular and configuration-driven, ThreatIngestor is super flexible, and should fit easily into any threat intel workflow. There is a never-ending stream of publicly available information on malicious activities online, but compiling all that information manually can take a lot of manual effort and time. ![]() ThreatIngestor helps you collect threat intelligence from public feeds, and gives you context on that intelligence so you can research it further, and put it to use protecting yourself or your organization. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |