Today I introduce, Threatelligence.
Its pretty much as I described in the last post, my attempt at cyber intelligence gathering data then further enriching it and then displaying it in a eye candy presentation that makes it easy to view, understand and search through.
I have written the data collector in a way to make it as generic as possible so that others using the tool can easily add their own custom sources of cyber intelligence data to the environment with one single file and a regex (:
Here is a sample, botnet_feeds.ini
When installed correctly, the cron job scripts will:
- Fetch all the sources of data, parse, enrich it a little and store in Elasticsearch
- Check how many days of data to keep, remove old data from Elasticsearch
When you are up and running you can create custom dashboards or add to the existing ones.
World Map Dashboard:
It can be pretty useful in a number of cases, for instance there is a report/log of a suspicious .exe that a user downloaded. You search parts of the name of the file and find a number of sites hosting the same EXE, you have the urls, ip address and can now block it at the firewall or look for similar logs:
So this is version 0.1, it may be buggy, may be poorly coded but its pretty much working and you can grab a full copy from Github, feel free to fork and improve/add/modify:
Read through the install, should be straight forward!