Threatshell

Threatshell is a python-based command line shell aimed at providing security researchers with a single, integrated environment for gathering information from various intelligence APIs and analysis scripts, and storing all of the obtained information into one or more elasticsearch instances. The goal of keeping the results in elasticsearch being to provide a historical search mechanism for all of the gathered information, and to start building a clever event analyzer to assist in hunting and analysis activities.

Notes

Please see the docs for installation help and for threatshell usage details.

I recommend using python virtual environments (virtualenvs) if you don't already. If you'd like to use a virtualenv, I detail (roughly) how to set one up in the docs, and there are plenty of awesome tutorials for setting up and using virtualenvs out there already if you still have questions.

Documentation

Threatshell's documentation can be found here

Quick Start

You can get up and running with threatshell with the following few steps -

First, you'll need the GeoIP library for geocoding IP addresses.

On ubuntu:

sudo apt-get install libgeoip-dev

On OSX:

brew install GeoIP

Then activate your virtualenv if you're using one for the next commands

# make sure pip is up to date if you want
pip install --upgrade pip

# you can install everything with
# pip install -r requirements.txt
# or
# python setup.py install

pip install -r requirements.txt

Now you can start up threatshell with

python threatshell.py

If it's your first time running threatshell, it will create a config directory, $HOME/.threatshell, and prompt you for a password for the crypto key it generates to keep all of your config's secrets safe. Then, once your key is generated, it asks for your API keys and other settings. You can just enter through the prompts and set the keys later with the config management commands