feat(plugins): implement ThreadWinds ingestion plugin

Add comprehensive plugin for extracting security entities from UTMStack
incidents/alerts and ingesting them into ThreadWinds threat intelligence
platform.

Core Features:
- Extract 100+ entity types (IPs, domains, hashes, emails, URLs, files,
  processes, CVEs, malware indicators, certificates, etc.)
- Build 100+ bidirectional entity associations (IP↔Domain, File↔Hash,
  Process↔File, CVE↔CPE, etc.)
- Automatic ThreadWinds API registration using instance credentials
- OpenSearch integration for alert/event retrieval
- 5-minute polling scheduler for active incidents (OPEN/IN_REVIEW)
- Graceful shutdown and comprehensive error handling

Author: JocLRojas

plugins/threadwinds-ingestion/README.md

@@ -0,0 +1,18 @@
+# UTMStack Plugin for ThreadWinds Ingestion
+
+
+## Description
+
+UTMStack Plugin for ThreadWinds Ingestion is a connector developed in Golang that extracts security entities from `UTMStack incidents and alerts` and sends them to the `ThreadWinds` threat intelligence platform.
+
+This plugin processes incidents from UTMStack, extracts entities (IPs, domains, hashes, emails, etc.) from their associated alerts and events, and ingests them into ThreadWinds for global threat intelligence correlation and enrichment.
+
+The connector automatically registers with ThreadWinds services using the admin email from the UTMStack system. It periodically polls for recent incidents, extracts all relevant entities (network indicators, file hashes, user identities, etc.), builds associations between entities, and sends them to ThreadWinds for analysis.
+
+### Requirements
+**ThreadWinds Credentials:**
+
+- API Key
+- API Secret
+
+Please note that the connector automatically registers with ThreadWinds using the admin email if credentials are not already configured. The connector requires a valid admin email to run.

plugins/threadwinds-ingestion/config/config.go

@@ -0,0 +1,31 @@
+package config
+
+type TWConfig struct {
+	InternalKey    string
+	BackendURL     string
+	ThreadWindsURL string
+	OpenSearchHost string
+	OpenSearchPort string
+	DBHost         string
+	DBPort         string
+	DBUser         string
+	DBPassword     string
+	DBName         string
+}
+
+func GetTWConfig() (*TWConfig, error) {
+	cfg := &TWConfig{
+		InternalKey:    GetInternalKey(),
+		BackendURL:     GetBackendUrl(),
+		ThreadWindsURL: GetThreadWindsURL(),
+		OpenSearchHost: GetOpenSearchHost(),
+		OpenSearchPort: GetOpenSearchPort(),
+		DBHost:         GetDBHost(),
+		DBPort:         GetDBPort(),
+		DBUser:         GetDBUser(),
+		DBPassword:     GetDBPassword(),
+		DBName:         GetDBName(),
+	}
+
+	return cfg, nil
+}

plugins/threadwinds-ingestion/config/const.go

@@ -0,0 +1,64 @@
+package config
+
+import (
+	"os"
+	"strings"
+
+	"github.com/utmstack/UTMStack/threadwinds-ingestion/utils"
+)
+
+func GetInternalKey() string {
+	return utils.Getenv("INTERNAL_KEY")
+}
+
+func GetBackendUrl() string {
+	return utils.Getenv("BACKEND_URL")
+}
+
+func GetThreadWindsURL() string {
+	if isDevEnvironment() {
+		return "https://apis.dev.threatwinds.com"
+	}
+	return "https://apis.threatwinds.com"
+}
+
+func GetOpenSearchHost() string {
+	return utils.Getenv("OPENSEARCH_HOST")
+}
+
+func GetOpenSearchPort() string {
+	return utils.Getenv("OPENSEARCH_PORT")
+}
+
+func GetDBHost() string {
+	return utils.Getenv("DB_HOST")
+}
+
+func GetDBPort() string {
+	return utils.Getenv("DB_PORT")
+}
+
+func GetDBUser() string {
+	return utils.Getenv("DB_USER")
+}
+
+func GetDBPassword() string {
+	return utils.Getenv("DB_PASS")
+}
+
+func GetDBName() string {
+	return utils.Getenv("DB_NAME")
+}
+
+func isDevEnvironment() bool {
+	env := os.Getenv("ENV")
+	if env != "" {
+		if strings.Contains(env, "-dev") ||
+			strings.Contains(env, "-qa") ||
+			strings.Contains(env, "-rc") {
+			return true
+		}
+	}
+
+	return false
+}

plugins/threadwinds-ingestion/go.mod

@@ -0,0 +1,58 @@
+module github.com/utmstack/UTMStack/threadwinds-ingestion
+
+go 1.25.5
+
+require (
+	github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0
+	github.com/opensearch-project/opensearch-go/v2 v2.3.0
+	github.com/threatwinds/go-sdk v1.0.51
+	golang.org/x/sync v0.19.0
+	gopkg.in/yaml.v2 v2.4.0
+)
+
+require (
+	cel.dev/expr v0.25.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.14.2 // indirect
+	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/gin-gonic/gin v1.11.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.30.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
+	github.com/tidwall/gjson v1.18.0 // indirect
+	github.com/tidwall/match v1.2.0 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/arch v0.23.0 // indirect
+	golang.org/x/crypto v0.47.0 // indirect
+	golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260114163908-3f89685c29c3 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)