TheHive - TheHive: a Scalable, Open Source and Free Security Incident Response Platform

•    Javascript

TheHive is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion to MISP. You can synchronize it with one or multiple MISP instances to start investigations out of MISP events. You can also export an investigation's results as a MISP event to help your peers detect and react to attacks you've dealt with. Additionally, when TheHive is used in conjunction with Cortex, security analysts and researchers can easily analyze tens if not hundred of observables. Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker. Using TheHive's live stream, everyone can keep an eye on what's happening on the platform, in real time.

MISP - MISP (core software) - Open Source Threat Intelligence Platform (formely known as Malware Information Sharing Platform)

•    PHP

MISP, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently. The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection System (NIDS), LIDS but also log analysis tools, SIEMs.

malware-ioc - Indicators of Compromises (IOC) of our various investigations

•    YARA

Here are indicators of compromise (IOCs) of our various investigations. We are doing this to help the broader security community fight malware wherever it might be. If you would like to contribute improved versions please send us a pull request.

FireMISP - FireEye Alert json files to MISP Malware information sharing plattform (Alpha)

•    Python

And edit the config.cfg according to your needs.

misp-osint-collection - Collection of best practices to add OSINT into MISP and/or MISP communities

The document is available in XMind format and the source is available. Fork the project, download the XMind format document, edit the document with XMind, commit and do a pull-request.

TheHiveDocs - Documentation of TheHive

TheHive is a scalable 4-in-1 open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. Thanks to Cortex, our powerful free and open source analysis engine, you can analyze (and triage) observables at scale using more than 80 analyzers. Additionally and starting from TheHive 3.1.0, you can actively respond to threats and interact with your constituency and other parties thanks to Cortex responders.

puppet-misp - This module installs and configures MISP (Malware Information Sharing Platform)

•    HTML

This module installs and configures MISP (Malware Information Sharing Platform) on CentOS 7. It has been tested on Puppet 3.8.7 and with MISP versions 2.4.50 and 2.4.51. This module installs and configures MISP on CentOS 7. It installs all the needed dependencies, configures MISP and starts the services. However it does not set up the database nor the GPG key, that is up to the administrator to do. In addition it does not set up the web server on top of which MISP would run, meaning that Apache, Nginx or another web server of your choice would be needed (nevertheless the module need to know to know the name of the service of the web server (e.g. httpd)).

MISP-dockerized

•    Shell

MISP dockerized is a project designed to provide an easy-to-use and easy-to-install 'out of the box' MISP instance that includes everything you need to run MISP with minimal host-side requirements. MISP dockerized uses MISP (Open Source Threat Intelligence Platform - https://github.com/MISP/MISP), which is maintend and developed by the MISP project team (https://www.misp-project.org/).

dockerfiles - 🌊 Dockerfiles for apps I use

•    Dockerfile

🌊 Dockerfiles for apps I use

volatility-misp - Volatility plugin to interface with MISP

•    Python

volatility-misp is a volatility plugin that allows to pull yara rules from a MISP instance's yara attributes and use them in yarascan.

docker-misp - Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing

•    Dockerfile

Following the Official MISP Ubuntu 18.04 LTS build instructions. We follow the official MISP installation steps everywhere possible, while adding automation around tedious manual steps and configurations.

mail_to_misp - Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails

•    Python

Connect your mail infrastructure to MISP in order to create events based on the information contained within mails. You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.

misp-book - User guide of MISP

•    CSS

User guide for MISP (Malware Information Sharing Platform) - An Open Source Threat Intelligence Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces (API), in order to integrate MISP within a security environment. and many other contributors especially the ones during the MISP hackathons.

misp-cloud - misp-cloud - Cloud-ready images of MISP

•    Shell

The objective of this project is to deliver cloud-ready images of MISP for testing purposes. The image creation process takes into account security updates of the underlaying Operating System as well of MISP itself, which allows you to use the image in production. That being said, it's highly recommended that you change the credentials associated with MISP, DB and salt that is pre-configured with the images.

misp-compliance - Legal, procedural and policies document templates for operating MISP and information sharing communities

Legal, procedural and policies document templates for operating MISP and information sharing communities following existing regulations, laws or policies. This repository is a collaborative effort to improve the state of information sharing and exchange within and outside the MISP Project.

misp-dashboard - A dashboard for a real-time overview of threat intelligence from MISP instances

•    Python

A dashboard showing live data and statistics from the ZMQ feeds of one or more MISP instances. The dashboard can be used as a real-time situational awareness tool to gather threat intelligence information. The misp-dashboard includes a gamification tool to show the contributions of each organisations and how they are ranked over time. The dashboard can be used for SOC (Security Operation Center), security team or during cyber exercise to keep track of what's going on your various MISP instances. ⚠️ Make sure no zmq python3 scripts are running. They block the update.

misp-docker - MISP Docker (XME edition)

•    Shell

The files in this repository are used to create a Docker container running a MISP ("Malware Information Sharing Platform") instance. I rewrote the Docker file to split the components in multiple containers (which is more in the philosophy of Docker).

misp-galaxy - Clusters and elements to attach to MISP events or attributes (like threat actors)

•    Python

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.

misp-modules - Modules for expansion services, import and export in MISP

•    Python

MISP modules are autonomous modules that can be used for expansion and other services in MISP. The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

misp-objects - Definition, description and relationship types of MISP objects

•    Python

MISP objects used in MISP (starting from 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. Feel free to propose your own MISP objects to be included in MISP. The system is similar to the misp-taxonomies where anyone can contribute their own objects to be included in MISP without modifying software.