Watcher – Open Source Cybersecurity Threat Hunting Platform

Watcher

Watcher – Open Source Cybersecurity Threat Hunting Platform and developed with Django and React JS.

Watcher is a Django & React JS automated platform for discovering new potentially cybersecurity threats targeting your organisation.

It should be used on webservers and available on Docker.

Watcher capabilities

  • Detect emerging vulnerability, malware using social network and other RSS sources (www.cert.ssi.gouv.fr, www.cert.europa.eu, www.us-cert.gov, www.cyber.gov.au…).
  • Detect Keywords in pastebin & in other IT content exchange websites (stackoverflow, github, gitlab, bitbucket, apkmirror, npm…).
  • Monitor malicious domain names (IPs, mail/MX records, web pages using TLSH).
  • Detect suspicious domain names targeting your organisation, using dnstwist.
  • Useful as a bundle regrouping threat hunting/intelligence automated features.

Additional features

  • Create cases on TheHive and events on MISP.
  • Integrated IOCs export to TheHive and MISP.
  • LDAP and Local Authentication.
  • Email notifications.
  • Ticketing system feeding.
  • Admin interface.
  • Advance users permissions & groups.

Involved dependencies

  • RSS-Bridge
  • dnstwist
  • Searx
  • pymisp
  • thehive4py
  • TLSH
  • shadow-useragent
    NLTK

Screenshots

Watcher provides a powerful user interface for data visualization and analysis. This interface can also be used to manage Watcher usage and to monitor its status.

Threats detection

Watcher-threats-detection
Watcher-threats-detection

Keywords detection

Watcher-keywords-detection
Watcher-keywords-detection

Malicious domain names monitoring

Watcher-malicious-domain-names-monitoring
Watcher-malicious-domain-names-monitoring

IOCs export to TheHive and MISP

Watcher-iocs-export
Watcher-iocs-export

Potentially malicious domain names detection

Watcher-malicious-domain-names-detection
Watcher-malicious-domain-names-detection

Django provides a ready-to-use user interface for administrative activities. We all know how an admin interface is important for a web project: Users management, user group management, Watcher configuration, usage logs…

Admin interface

Watcher-admin-interface
Watcher-admin-interface

Installation

Create a new Watcher instance in ten minutes using Docker (see Installation Guide).

Platform architecture

Watcher Platform-architecture
Watcher Platform-architecture

Thehive & MISP Export

You can export monitored DNS to TheHive or MISP:

  1. Go to /website_monitoring page.
  2. Add new DNS to monitored.
  3. Click on the blue upload/cloud button.
  4. Choose which service you want to use.

How to Update Watcher

To update Watcher image please follow the instructions below:

  • Stop all containers: docker-compose down
  • Remove the old docker images: docker rmi felix83000/watcher:latest searx/searx searx/searx-checker rssbridge/rss-bridge:latest
  • Pull the newer docker images: docker-compose up

This will update Watcher, Rss-bridge and Searx.

Download Watcher

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel

.
Total
24
Shares
Related Posts