Threat Hunter - Case Manager is a proof of concept cyber security incident tracker with a timeline emphasizing capturing the time used by analysts from start to finish. Ideal for threat hunting or cases which require multiple analysts working in parallel on different aspects of the case.
The goal of this project was:
- Visualize the complete incident timeline per user to demonstrate how different parts of investigations can take additional times
- Provide analysts with a workspace for shared notes under one umbrella so that management does not need to ask for timelines or updates
- Provide a workflow-agnostic, and dynamic tracking platform so teams can work how they want
This was a learning project for myself and is not suitable for production environments. Some components are unfinished and best practices were not followed in all aspects. The purpose of this project was purely to explore the django framework and I did not take security and scale into consideration.
git clone https://github.com/crowdere/CaseManager.git
cd CaseManager/casemanager
source env/bin/activate
pip instal -r requirements.txt
python manage.py runserver
use at your own risk.
Landing page is broken down into 5 key components.
- Navigation Bar provides a Global search across all cases
- Timeline view provides an indepth view of time taken from inital opening of an investigation room to the last updated time. Effectivley building out a dynmaic timeline based on how analysts work on and off again.
- Active Case quick search (these are the parent items to Investigation Rooms)
- Investigation Rooms can be created by any analyst and named anything they want to represent the work they are doing. In the below example you can see a MITRE ATT&CK template, however, this could be any fields which will autoamtically be timelined.
- Recent Activies list for Management/CISO to instantly see a twitter like feed of the last updated activies
A basic form to create an investigation room. This can be updated within the room.
The investigation room itself is composed of 3 main components.
- The case details, including case its assigned to, investigation name, current ticket status, current priority, current severity, and brief inital description.
- The analyst comments
- The Intelligence panel:
- Lists all actives users who worked on this specific room
- Automatically extracts indicators of compromise (IoCs) as defined in HERE
- (Todo) An intelligence engine which reviews current chat room converations to be analyzed and suggest more relevant news topics.
Analyst page was designed to integrate with something like AD later on and automatically generate microsoft team links for that speciric analyst based on their registration email.
Inital base project adapted from https://www.youtube.com/watch?v=PtQiiknWUcI&t=23904s