threat_note is a web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research. As of right now this includes the ability to add IP Addresses, Domains and Threat Actors, with more types being added in the future.
This app fills the gap between various solutions currently available, by being lightweight, easy-to-install, and by minimizing fluff and extraneous information that sometimes gets in the way of adding information. To create a new indicator, you only really need to supply the object itself (whether it be a Domain, IP or Threat Actor) and change the type accordingly, and boom! That's it! Of course, supplying more information is definitely helpful, but, it's not required.
Other applications built for storing indicators and research have some shortcomings that threat_note hopes to fix. Some common complaints with other apps are:
- Hard to install/configure/maintain
- Need to pay for added features (enterprise licenses)
- Too much information
- This boils down to there being so much stuff to do to create new indicators or trying to cram a ton of functions inside the app.
Now that we are using SQLite, there's no need for a pesky Vagrant machine. All we need to do is install some requirements via pip and fire up the server:
cd threat_noteOnce the server is running, you can browse to http://localhost:5000 and register a new account to use to login into threat_note with.
pip install -r requirements.txt
A development dockerfile is now available, to build it do the following from its directory:
sudo docker build -t threat_note .Once the server is running, you can browse to http://localhost:8888 and register a new account to use to login into threat_note with.
sudo docker run -itd -p 8888:8888 threat_note
For a good "Getting Started" guide on using threat_note, check out this post by @CYINT_dude on his blog.
First up is a shot of the dashboard, which has the latest indicators, the latest starred indicators, and a campaign and indicator type breakdown.
VirusTotal information. Turning these integrations on can slow down the time to retrieve details about your indicator. A new feature recently added by @alxhrck was the ability to add an HTTP(s) proxy if you need it to connect to 3rd parties. He also recently added support for a new 3rd party integration, OpenDNS Investigate, which can be activated on this page.