OSINT Data to Timesketch
Idea of that script is to get a list of domains / ips and pull timeline relevant infos from VT and other OSINT sources. The output should be already timesketchable.
This project should be considered early aplha, everything might be completly broken. Run the script on your own risk.
Using that script with high critical indicators might burn your indicators because the script is querying external meaning internet hosted services. Thus those running those services could potentially see your queries.
- Virustotal (files)
- Virustotal (passive DNS)
- CIRCL passive SSL
- CIRCL passive DNS
- CIRCL passive SSL calculate first seen date based on isci (https://notary.icsi.berkeley.edu/)
- first_seen: the day our data providers first saw the certificate (relative to 1/1/1970)
modify the config file
cp config_sample.cfg config.cfg
paste your md5 hashes, ips, domains to the input.txt file run the script:
python vt_lookup.py
see the output in output.csv Copy output csv and add it to your timesketch instance.
Happy digging
See sample folder.
In the future it would be nice to also include data from First submitted, first seen in the wild from VT, but that is not yet explosed via API