Virustotal Data to Timesketch
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
sample
.gitignore
CHANGELOG.md
LICENSE
README.md
config_sample.cfg
requirements.txt
vt_lookup.py

README.md

osint_timesketch

OSINT Data to Timesketch

idea

Idea of that script is to get a list of domains / ips and pull timeline relevant infos from VT and other OSINT sources. The output should be already timesketchable.

WARNING

This project should be considered early aplha, everything might be completly broken. Run the script on your own risk.

Using that script with high critical indicators might burn your indicators because the script is querying external meaning internet hosted services. Thus those running those services could potentially see your queries.

Sources

already implemented

  • Virustotal (files)
  • Virustotal (passive DNS)
  • CIRCL passive SSL

planned

  • CIRCL passive DNS
  • CIRCL passive SSL calculate first seen date based on isci (https://notary.icsi.berkeley.edu/)
    • first_seen: the day our data providers first saw the certificate (relative to 1/1/1970)

usage

modify the config file

cp config_sample.cfg config.cfg

paste your md5 hashes, ips, domains to the input.txt file run the script:

python vt_lookup.py

see the output in output.csv Copy output csv and add it to your timesketch instance.

Happy digging

sample data

See sample folder.

Future features

In the future it would be nice to also include data from First submitted, first seen in the wild from VT, but that is not yet explosed via API