defensepointsecurity / threat_note Goto Github PK

Hi there and thanks for all the good stuff so far.
Some opportunities for services that can be integrated:

• packetmail.net for IP address (contact Nathan Fowler to get an API key)
• cymon.io In Progress
• malwr.com API is limited at the moment, can only submit
• IPVoid
• Shodan I don't have access, plus it costs money, gonna try out censys.io
• ThreatRecon
• Soltra Edge (via TAXII)
• MISP via the API (you can contact CIRCL)
• TotalHash
• AlienVault OTX
• Mnemonic pDNS (http://passivedns.mnemonic.no/search/ for prefix/suffix searches. API must be requested)
• Secure Domain Foundation (securedomain.org one can request an API key)

Lots of opportunites (and work to be done) :)

Cheers,
Andreas

Clicking the New Entry button does not open a new indicator submission page. User must click the text "+New Entry" within the button to create a new submission.

Again, very minor issue : )

I attempted to submit the the domain [domain.ru] and received the error "Not a valid IP Address."

Right now the JSON from WHOIS looks bad and is just one JSON blob. Need to figure out a way to parse this to make it look better. The Passive DNS information from VirusTotal needs to be split out into rows for each passive DNS entry, currently it looks jumbled and creates one long row.

Add an option (selected in Settings) to enable geographical data. This could come from any IP/domain lookup services that provide coordinates. Use google maps to generate maps that could be inserted into a new table row for the object.

Need to implement the date-time picker in the new entry page to make picking a date easier.

Thoughts on increasing the size of the comments field when editing an indicator? Overtime, I could see more notes/comments added to an indicator, so more space to work with would be awesome.

Thanks!

Right now it only highlights the "Overview" page, need this to reflect currently selected page.

New UI looks awesome.

Was thinking that once the network indicators page gets more populated, the user might have to make a few wheel scrolls to get to the bottom to click the "New Indicator" button. Thoughts on moving that to the top of the page so it's always quickly accessible?

Attempted to create the Attribute "Confidence" for a Network indicator (CIDR range). Entered the value "LOW." Received error [Errno -2] Name or service not known.

Attempting to return to indicators page, and then the original Network indicator after that also returns the same error.

One could add PassiveTotal and/or FarSight.
Thanks for your efforts.
Cheers

After a particular object has been created (indicator, threat group etc), when attempting to edit this item to include a Campaign, these changes do not seem to be saved

When submitting a domain indicator with a new attribute, I received the following error:

'domain.com' does not appear to be an IPv4 or IPv6 address.

I confirmed that the the indicator for which I was trying to submit was a domain/host (www[.]yahoo[.]4pu[.]com), and not an IPv4/6. So, weird that it thought I was trying to submit an IP. Also tried submitting without 'www' and got the same error.

Addition of Theatcrowd integration would make a nice addition, as it already pulls from a number of sources (Malwr, Totalhash, etc.). Not sure how robust the API is at the moment, however.

Currently we only list the indicator itself and don't include any associated metadata (specifically the _id field) to take us to /network//info. We need to figure out a way to grab the _id field for the indicator and then pass that to the function so we can get back to the object.

The CSS for the bootstrap panels is wonky, and the two panels at the bottom of the homepage aren't all the way across the screen.

For instance, if creating a new indicator from "Files", have it select "Hash" already

Purely and aesthetic thing: it would be a little easier to read the comments if they were left justified in the default indicator view.

Comments in the alternate table view might be easier to read if they were aligned with the rest of the fields (the text shoots way left after the first line - or maybe I just write too many words haha).

Create the database file via code if no threatnote.db exists in the current directory.

Not sure if this fits in with goal of submitting individual indicators, but is adding support for CIDR ranges something that would make sense for an IPV4 object? E.g., 146.185.221.0/24. Currently getting error when trying to drill-down on that.

A new indicator button on the dashboard would be a natural addition.

Figure out a way to delete a single attribute from an indicator.

https://malwr.com/

A section for tracking internal incidents (and linking to or creating indicators from within the section on the fly) would be helpful. I will work on a mock-up of fields for this section and add it here when complete.

Add a global search function in the sidebar or at the top. Additional filtering (by indicator type, confidence, tag, etc.) on indicator pages and for export would be superb.

Right now it's in the open, figure out a way to better secure the API key, at least by hashing it.

Hi again,

Do you think that threat_note is the right tool for building and maintaining watchlists (domain names, hostnames, registration email addresses, IP addresses). If yes then there are some use cases:

• monitor hostnames for changes in resolved IP addresses
• monitor domains for changes in whois records
• monitor domains for new related hostnames/subdomains discovered (via Mnemonic Suffix pDNS queries)
• monitor IP address via reverse DNS lookup
• monitor email addresses for registering new domains (integration with DomainTools??)
• etc..

Cheers,
Andreas

I created a Threat Actor and Network Indicator without specifying a campaign. So now the Campaign page lists an "Unknown" campaign with both of those objects in it, and the links for those objects actually go to /campaign/<object_name>/info.

If you need to highlight a particular indicator for quick identification, a way to highlight the row in the tables/indicators page. Use .glyphicon-star .glyphicon-star-empty to indicate this.

Hmm, not sure what's going on. Trying to drill-down on indicators from either the dashboard or Campaign page and am getting one of the following errors:

'odnsinfo'
Expecting property name: line 1 column 2 (char 1)

Just me? Thanks!

A bulk import of some kind would be useful, even if it only allowed newline or comma separated indicators in the New Indicator page.

Addition of Circl.lu sources for PDNS and PSSL would be helpful. More info here:

https://www.circl.lu/services/passive-dns/
https://www.circl.lu/services/passive-ssl/

It appears if someone has a service enabled, but, no API key it will error out when trying to view indicator details. Need to also make sure if the service is enabled and API is provided, that no results show as "No results found"

When looking at a domain indicator, the Whois link goes to https://who.is/whois-ip/ip-address/<domainname> which will be invalid because it's a domain name, not an IP address.

Maybe you want to add a line in the vagrant config to avoid inserting the private RSA key:

config.ssh.insert_key = false

Thank you for the interesting work.

Cheers.

Attempting to click on an indicator from the Overview/Indicators or Campaigns menu results in an error message:

Whoops!
'80.242.123.155 ' does not appear to be an IPv4 or IPv6 address

Build models for Settings and Indicators. Consolidate database code and queries.

Addition of screenshot (preferably via direct paste from clipboard) or text/csv/other document attachment to indicators for supporting documentation would be wonderful!

Have the ability to add a relationship between multiple indicators. Could be a sidebar column which lists the relationship, or just another row in the object table. Think of how to identify the relationship. For example, should it just be something like:

{ "_id" : ObjectId("55de741d76ca2e175ba7fb9b"), "campaign" : "LASER PANDA", "object" : "104.236.114.138", "comments" : "nullsecure.org webhosting server", "diamondmodel" : "Infrastructure", "lastseen" : "2015-08-20", "inputtype" : "IPv4", "firstseen" : "2001-01-01", "relationships":{"nullsecure.org":"domain name", "Brian Warehime":"admin name"} }

If the above works, how would we show the relationships? If it goes in a new table row called relationships, maybe something like:

The relationships would be links to the other entries, if they aren't created already, they would be created when the new relationship is made, inheriting the attributes from the original entry.

The "New Indicator" button may be confusing, as the "new object" page supports more types than just indicators. So when you're on, say, "Threat Actors" and see a "New Indicator" button, that may tell the user something other than what's intended.

It would be great to have the ability to edit an object once you are on the object's info page. At present, you can only edit an object on the table view (e.g. 127.0.0.1:8888/networks), not on info view (e.g. 127.0.0.1:8888/network/11/info).

This would be useful as the longer the list of indicators grows, the harder it becomes to edit the required object. Also, when accessing an object through the Campaign group view, it navigates directly to the info page, therefore cannot edit an object

Text not fully displayed on campaign overview pie graph.

Right now it only includes 6 default attributes per indicator. Add functionality that will list all the attributes associated with the indicator, so you can scroll to the right to view all the different attributes. However, this could make the search filter weird, since it would include all the attributes, making the list hard to sort through, as well as a lot of "-"'s throughout the table for indicators that don't have that attribute.

If no confidence is set, it looks like the content shifts left one column. For example, the Diamond Model content shifts into the Confidence field/column.

• Addition of a flag icon for geolocated indicators on the Indicator tables on the dashboard and indicator pages.
• Addition of a map with "pins" showing all geolocated indicators on each campaign or tag page.

Hello,

I was experiencing issues today with logging in. IT would not accept my password. This happened with another colleague as well.

p.s. love the product! great stuff

Receiving the following error when clicking on a network indicator from either the indicators page, dashboard, or campaign page.

Expecting property name: line 1 column 2 (char 1)

I have had this issue before, so it's possible that it's a local issue (still trying to troubleshoot on my end).

I am currently synced on latest updates.

Thanks!

Add function per object and globally to export indicators to a variety of formats. Initial formats could be STIX, TAXII, Bro intel, Snort rules, etc.

Small typo in Campaigns download indicator button.