Analyst-Tool

2024/02/28: Currently doing a code refactor and adding support for:

Censys
Shodan
URLScan

Linux support is here. The color coding works perfectly in the linux terminal. To run the tool in Linux without the need for Jupyter Notebook simply run:

python analyst_tool.py

A python script in Jupyter Notebook to automate as much as possible (simply copy one of the following to your clipboard) an analyst's investigation and intelligence gathering for:

Domains
Hashes
IP addresses
Mitre ATT&CK Tactics, Techniques & Sub-Techniques
Ports
Windows Event IDs.
Epoch timestamp conversion to human readable.
OTX Pulse ID Lookup

Once configured simply copy one of the above items and program will do the rest based on the configured modules and present the information to the screen.

In addition I want to make this tool to be beneficial to both new and seasoned analysts alike where it automatically presents useful information by simply copying something to the clipboard. The For more see the planned features & updates section.

Requirements

attackcti
configparser
ipwhois
IPython
OTXv2
pycti
pyperclip
validators

Setup & Configuration

Sign up for the free API's of any of the modules you wish to use
- Current Modules Available:
  - Abuse IP DB - Requires an API Key
  - AlienVault OTX - Reaquires and API Key
  - VirusTotal - Requires an API Key
  - OpenCTI - Requires an API Key
- NOTE: It is recommended to at least configure the VirusTotal module.
Open the config.ini file and place your API Keys in the appropriate place

[ABUSE_IP_DB]
accept = application/json
key = API_KEY_GOES_HERE

[VIRUS_TOTAL]
accept = application/json
x-apikey = API_KEY_GOES_HERE
user = VIRUS_TOTAL_PROFILE_USER_NAME_GOES_HERE

[ALIEN_VAULT_OTX]
otx_api_key = API_KEY_GOES_HERE
server = https://otx.alienvault.com/

[OTX_INTEL]
intel_list = COMA,SEPERATED,LIST,OF,OTX,PULSE,AUTHORS,GOES,HERE

[OPEN_CTI]
opencti_api_url = URL_FOR_OPENCTI_GOES_HERE
opencti_api_token = API_TOKEN_FOR_OPENCTI_GOES_HERE

Install Anaconda
Open Anaconda prompt and type:
- conda update conda
Once the update finishes navigate to the directory where you cloned this repository
In the Anacanda prompt type:
- pip install -r requirements.txt
Once this completes simply run jupyter notebook
- If not run from the directory you cloned this repository to then navigate there now.
  - It should look like the following:
Left click on the file named "Analyst Tool.ipynb"
You will then be presented with the following which is the actual jupyter notebook:
To begin using the notebook you can run it in one of 2 ways:
1. Left click the Run button
1. Ensure the box with the code is highlighted in blue (done by left clicking once) and pressing "Shift + Enter"
It is now running and you should see the following output
- Note: This will only occurr the first time you run the notebook each time. As it runs on a continuous loop to monitor your clipboard until killed.
It will output the following
- Note Your output may be different if you do not have all of the modules below configured.

Sample Ouput:

IP Address:

Updated AlienVault OTX Output Updated picture to follow

AlienVault OTX IP Report:
	dorkingbeauty1 Intel:     Yes
	Pulse Created:            2022-02-14T03:25:39.705000
	Pulse Modifed:            2022-02-14T03:25:39.705000
	Pulse:                    https://otx.alienvault.com/pulse/6209cbb3a50149391bd1040b


	pr0viehh Intel:           No
	Avertium Intel:           No

	Related Pulses:           50
	Reputation:               None
	Passive DNS:              2 Domains
	Hostname:                 171.25.193.20
	  First Seen:             2018-09-23T22:00:00
	  Last Seen:              2018-09-23T22:00:00
	Hostname:                 tor-exit0-readme.dfri.se
	  First Seen:             2017-04-23T21:00:36
	  Last Seen:              2020-05-28T16:26:41
	https://otx.alienvault.com/indicator/ip/171.25.193.20

cybersheepdog/Analyst-Tool

Analyst-Tool

Requirements

Setup & Configuration

Sample Ouput:

IP Address:

Hash:

Domain:

Planned features & updates

Author