🚨🚨🚨 THIS IS A WIP 🚨🚨🚨
If what you’re looking at here looks interesting to you hit me up here or at @[email protected]
The problem with working with DFIR/Infrastructure Analysis/Threat hunting types of workflows is the different ways of visualizing the data and the need for both structured data but also not-cumbersome workflows. In all things there’s a give and take.
So ideally I want:
- Freeform notes that have an understanding of IoCs
- The IoCs should be automatically enriched with configured datasets (is this IoC in VT? If so show some glyph next to it to let me know)
- A way to pull in external APIs intelligence into my notes and maintain that linkage
- Automatically maintain the time metadata of an IoC (first seen, last seen, update dates, and changes)
- Maintain seperate investigations but be able to link the IoCs between investigations
- Exportable in sharable formats (csv, stix/taxii)
- Exportable in a roughly human readable form
- Be able to visualize the IoCs as both a series of relationships between nodes and a timeseries graph and be able to filter on the graph
Using org-roam with some enhanced features focused on IoCs and Pivoting will give me a lot of this.
(use-package hunting-mode
:straight (:host github
:repo "noonker/hunting-mode")
:ensure t
:init
(add-hook 'org-mode-hook 'hunting-mode)
(setq hunting-api-key-misp "YOUR_KEY")
(setq hunting-api-url-misp "YOUR_ENDPOINT")
(setq hunting-api-key-robtex "YOUR_KEY")
(setq hunting-api-key-circl-pdns "YOUR_KEY")
;; Add some callback hooks :)
(add-to-list ' hunting-glyph-hooks
`(,hunting-ipv4-regex-wrapped hunting-misp-ioc-in-misp-p "💢" "💤")
`(,hunting-md5-regex-wrapped hunting-project-hash-contains-p "✅" "❌")
`(,hunting-sha1-regex-wrapped hunting-project-hash-contains-p "✅" "❌")
`(,hunting-sha256-regex-wrapped hunting-project-hash-contains-p "✅" "❌")
)
)
- GEO Locations embedded into org https://github.com/minad/osm <3
svg-tag-mode