-
Notifications
You must be signed in to change notification settings - Fork 136
/
Copy pathconfig.example.yml
197 lines (166 loc) · 5.22 KB
/
config.example.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# This example config file shows some of the features available in ThreatIngestor.
# It will not run as-is, since it's missing credentials and several of the
# plugins point to services you probably don't have.
# See the ThreatIngestor documentation for more information on how to create
# a real config.yml: https://inquest.readthedocs.io/projects/threatingestor/en/latest/.
general:
# You always need this section!
# Here are some sane values to include:
daemon: true
sleep: 900
state_path: state.db
credentials:
# This section is optional. Use it to define credentials to reference below
# in the source and operator sections.
- name: twitter-auth
# https://dev.twitter.com/oauth/overview/application-owner-access-tokens
api_key:
api_secret_key:
access_token:
access_token_secret:
bearer_token:
- name: virustotal-auth
api_key: API_KEY
- name: github-auth
username: user
# Could also use password instead https://github.blog/2013-05-16-personal-api-tokens/
# https://github.com/settings/tokens
token: TOKEN_OR_PASSWORD
- name: threatkb-auth
url: http://mythreatkb
token: MYTOKEN
secret_key: MYKEY
- name: aws-auth
aws_access_key_id: MY_KEY
aws_secret_access_key: MY_SECRET
aws_region: MY_REGION
- name: misp-auth
url: https://mymisp
key: MY_API_KEY
ssl: False
error_reporting:
- name: bugsnag
api_key: API_KEY
sources:
# This section defines each of the input sources for ThreatIngestor.
# Define as many as you want. ThreatIngestor maintains a "state" for each of
# your sources, which helps pull in only new content since the last run.
- name: twitter-inquest-c2-list
module: twitter
credentials: twitter-auth
list_id: 917864294053752832
- name: twitter-open-directory
module: twitter
credentials: twitter-auth
query: '"open directory" #malware'
- name: twitter-inquest-timeline
module: twitter
credentials: twitter-auth
username: InQuest
- name: github-query
module: github
credentials: github-auth
search: CVE-2018-
# Without regex include
- name: rss-inquest-blog
module: rss
url: https://inquest.net/blog/rss
feed_type: messy
# With regex include
# Keywords are seperated by '|'
- name: rss-inquest-blog
module: rss
url: https://inquest.net/blog/rss
feed_type: messy
include: security|threat|research
# With regex exclude
# Keywords are seperated by '|'
- name: rss-inquest-blog
module: rss
url: https://inquest.net/blog/rss
feed_type: messy
exclude: https:\/.inquest\.net\/blog[\/]?inquest-[\/]?
# Sitemap exmaples
# Keywords are seperated by '|' when using the include option
- name: inquest-sitemap-articles
module: sitemap
url: https://www.inquest.net/sitemap.xml
include: security|threat|research
# Keywords are seperated by '|' when using the exclude option
- name: inquest-sitemap-articles
module: sitemap
url: https://www.inquest.net/sitemap.xml
exclude: https:\/.inquest\.net\/blog[\/]?inquest-[\/]?
# Defaults to "blog" keyword
- name: inquest-sitemap-blog
module: sitemap
url: https://www.inquest.net/sitemap.xml
# Searches for "articles or security" keywords
- name: inquest-sitemap-blog-articles-security
module: sitemap
url: https://www.inquest.net/sitemap.xml
include: articles|security
# Only ingest from specific directories
- name: inquest-sitemap-blog-category
module: sitemap
url: https://www.inquest.net/sitemap.xml
path: /blog/category/
# Specify filtering for paths
# Only returns results under /blog/category/release|solutions
- name: inquest-sitemap-release-solutions
module: sitemap
url: https://www.inquest.net/sitemap.xml
path: /blog/category/
include: release|solutions
- name: vt-comments-inquest
module: virustotal
user: 'inquest.labs'
credentials: virustotal-auth
limit: 10
- name: image-extraction
module: image
img: https://example.com/image.png
- name: beanstalk-input
module: beanstalk
host: 127.0.0.1
port: 11300
queue_name: threatingestor-input
paths: [content]
operators:
# This section defines outputs for the information extracted from your
# sources. All filtering and flow control is done here, with options like
# "allowed_sources", "artifact_types", and "filter".
- name: csv
# Write artifacts to a CSV file
module: csv
filename: output.csv
- name: mythreatkb
# Send artifacts to a ThreatKB instance
module: threatkb
credentials: threatkb-auth
allowed_sources: [twitter-inquest-c2-list, rss-.*]
state: Inbox
- name: beanstalk-output
module: beanstalk
host: 127.0.0.1
port: 11300
queue_name: my-queue-worker-input
artifact_types: [URL]
url: {url}
- name: inquest-threatcrawler
module: sqs
credentials: aws-auth
allowed_sources: [twitter-open-directory]
filter: is_domain
artifact_types: [URL]
queue_name: research-crawl-queue
domain: {domain}
url: {url}
source_type: url
download_path: /var/crawler/ingestor
source_type_tags: dir
- name: sqlite-db
module: sqlite
filename: artifacts.db
- name: misp-instance
module: misp