Hacking Watcher - Open Source Cybersecurity Threat Hunting Platform

[Serafim]

Watcher is a Django & React JS automated platform for discovering new potentially cybersecurity threats targeting your organisation.

It should be used on webservers and available on Docker.

Watcher capabilities​

• Detect emerging vulnerability, malware using social network & other RSS sources (www.cert.ssi.gouv.fr, www.cert.europa.eu, www.us-cert.gov, www.cyber.gov.au...).
• Detect Keywords in pastebin & in other IT content exchange websites (stackoverflow, github, gitlab, bitbucket, apkmirror, npm...).
• Monitor malicious domain names (IPs, mail/MX records, web pages using TLSH).
• Detect suspicious domain names targeting your organisation, using dnstwist.

Useful as a bundle regrouping threat hunting/intelligence automated features.

Additional features​

• Create cases on TheHive and events on MISP.
• Integrated IOCs export to TheHive and MISP.
• LDAP & Local Authentication.
• Email notifications.
• Ticketing system feeding.
• Admin interface.
• Advance users permissions & groups.

Involved dependencies​

• RSS-Bridge
• dnstwist
• Searx
• pymisp
• thehive4py
• TLSH
• shadow-useragent
• NLTK

Screenshots​

Watcher provides a powerful user interface for data visualization and analysis. This interface can also be used to manage Watcher usage and to monitor its status.

Threats detection

​

Keywords detection

​

Malicious domain names monitoring

​

IOCs export to TheHive & MISP

​

Potentially malicious domain names detection

​

Django provides a ready-to-use user interface for administrative activities. We all know how an admin interface is important for a web project: Users management, user group management, Watcher configuration, usage logs...

Admin interface

​

Installation​

Create a new Watcher instance in ten minutes using Docker (see Installation Guide).

Platform architecture​

​