Tuesday 3 June 2014

Threatelligence

In my previous post I spoke about my first attempt at Python + Elasticsearch + Kibana for cyber intelligence data, well as promised this is my followup as promised.

Today I introduce, Threatelligence.

Its pretty much as I described in the last post, my attempt at cyber intelligence gathering data then further enriching it and then displaying it in a eye candy presentation that makes it easy to view, understand and search through.

I have written the data collector in a way to make it as generic as possible so that others using the tool can easily add their own custom sources of cyber intelligence data to the environment with one single file and a regex (:

Here is a sample, botnet_feeds.ini



When installed correctly, the cron job scripts will:
  1. Fetch all the sources of data, parse, enrich it a little and store in Elasticsearch
  2. Check how many days of data to keep, remove old data from Elasticsearch
 I have included a mini how to add your own custom sources of data, a test script to test custom sources before committing it to the database and pre-configured Kibana dashboards.

When you are up and running you can create custom dashboards or add to the existing ones.

Default Dashboard:


World Map Dashboard:

It can be pretty useful in a number of cases, for instance there is a report/log of a suspicious .exe that a user downloaded. You search parts of the name of the file and find a number of sites hosting the same EXE, you have the urls, ip address and can now block it at the firewall or look for similar logs:



So this is version 0.1, it may be buggy, may be poorly coded but its pretty much working and you can grab a full copy from Github, feel free to fork and improve/add/modify:


Link: https://github.com/syphon1c/Threatelligence

Read through the install, should be straight forward!